From time to time, you hear comments in security discussions that “Security Information & Event Management (SIEM) is dead” or that it does not provide sufficient benefit in terms of input to detect and handle security incidents. The advocate may have his own agenda behind his opening: replacing SIEM with another product or experience in his own operating environment where there has been no need for SIEM or has been perceived as useless.
However, without taking an immediate opinion on the necessity or unnecessariness of SIEM, the matter can be considered from a few angles. After reflection, based on these thoughts, the reader can think for themselves whether SIEM is necessary and what it might offer me. What does SIEM actually offer and for what purpose? Where is SIEM good and for what purpose and need may better tools be offered? Whose need is being talked about in any context: the organization itself, the Security Operation Center (SOC), or someone else?
INVESTING IN COLLECTING LOGS
This blog post focuses more on observation, for example, the National Institute of Standards and Technology, the NIST cybersecurity framework Detect section, and what SIEM as a tool in that context can provide. It is true that from the point of view of collecting logs for the SIEM implementation, you have to invest in it and the workload can be big. The starting point for planning is to know the requirements for the operation and to think about the log policy, which creates the basis for technical supervision. Based on this, one can make an architecture as well as think about what is collected, from where and how. After all, it is not necessary to gather everything in one place, but you can even utilize the analytics in the cloud and pass the events to the person handling them, e.g. SOC, instead of building them yourself in SIEM. In reality, some sort of SIEM or data lake in the cloud is in the background.
USER ACCOUNTS AND WORKSTATIONS ARE MOST OFTEN INVADED IN ORGANIZATIONS
The most common way is to email the user with an attachment or link to access the workstation or email account, often O365. From the point of view of implementing the observation, I would take advantage of the security features of Microsoft’s O365 e-mail service, for example, instead of collecting data in my own SIEM and building alerts. At the workstations, this is partly the same, but can we investigate what has happened in more detail if necessary? Many security systems do not provide sufficiently detailed information about events and these could be supplemented, for example, by using the Windows system monitor (Sysmon) to collect more detailed information. This data can and should be collected in SIEM to support the analysis. Of course, newer Endpoint Detection and Response (EDR) tools collect information and logs from the vendor’s cloud services that can be alerted.
FOR WHOM IS SNAPSHOT INFORMATION MOST USEFUL?
The word snapshot comes across in every security conversation with organizations. What it is and what it contains varies almost every time. It is often discussed that one should have access to SIEM and get different views and snapshots of technical events. Now, the essential question is, to whom is this level of information relevant? For SOC, yes, definitely support analysis and for the organization’s technical staff to understand events and even provide information for proactive action. The security manager can look at the situation, but often the discussion is in the direction of management, for which SIEM does not provide direct support. At the management level, that information is already much less useful, as the discussion often revolves around risks and events. Yes, these can be formed on the basis of SIEM data by analyzing and making security deviations and describing what should be able to be developed from the point of view of detection capability. This view is more understandable to management and can be discussed, remembering that observation is only one aspect of the whole.
SECURITY EVENT MANAGEMENT IS A NECESSARY EXTENSION TO OBSERVATION AND A REQUIREMENT IN ALL FRAMEWORKS
SIEM elevates the events that are collected in the event management system. These are analyzed and security breaches are created, often in a separate ticketing system. These are used to communicate with the various parties involved and to record the measures taken, in which case the activities must also be documented at the same time. The ticketing system usually has built-in integration between actors or portal views. Naturally, various means of communication between the people handling the event are used as support. SIEM does not offer such, although some kind of event flow has been modeled for them as well.
The latest in this entity is the SOAR (Security Orchestration, Analysis and Response) system. SOAR acts as a collection system, collecting alerts, ticketing, portals, and also automating SOC operations through use cases. SIEM is not directly replaced by SOAR, but analysis and data collection must take place somewhere in the background of SOAR. Automation sounds appealing to many, but already requires moderately good maturity in handling and responding to security incidents.
LOG COLLECTION AND MONITORING REQUIREMENTS ARE INCLUDED IN EVERY INFORMATION SECURITY FRAMEWORK
From a compliance point of view, the EU-GDPR has been the most recently highlighted, where the processing of personal data must be traceable from a control point of view. Log collection and monitoring requirements are included in every information security framework. In this way, these control requirements must be able to be solved in IT environments and also in production environments (OT / ICS). Especially in multi-vendor environments, IT vendors do take care of management compliance, but does it meet all the requirements for the organization itself? Most likely, these do not monitor the use of the organization’s own services or do not react to anomalies in the use of the service, but a separate security service, the SOC service, must be purchased. In this context, it may be quite justified to build SIEM itself and to establish controls for both management and operation of all relevant information systems.
SIEM IS NOT DEAD
In practice, control solutions as current implementations are a kind of Hybrid implementations instead of a fully centralized SIEM. SIEM is not dead, and it is a very key component in information security control. How control solutions start to evolve is largely dependent on the current state of the organization, operational requirements and development investments. As with navigation, you must first know where it is so that you can move on to the next tick or, in organizational terms, to develop information security. Systems are needed to support analysis to produce information. Based on this information, it is possible to react automatically or by people according to pre-agreed or applied measures and to ensure the continuity of the organization’s activities in information security events.
Information & Cyber Security Specialist
Do you want to hear more about our Cyber Security Services?