For those planning training sessions or candidates intending to take an online exam during this period, we will be offering online exam sessions on December 27 and 29, as well as January 5, 2024. You can check the link to online exam events here.
  2. / Resources
  3. / Articles

What Does SIEM Stand For?

IT Security 2016-06-02

Introduction

One of the core requirements of an ISMS is to have a process for handling security incidents. Thus many organizations find themselves forced by regulation into running a SIEM (security information and event management). While it is widely understood that the availability of accurate log data is a mandatory requirement for a working security incident management process, many organizations are still struggling to make sense out of it.

The problem starts with the technical definition of a security incident. As a single log record usually is   not significant enough to trigger an alert, you will have to collect log records centrally, pipe them to your SIEM platform, define time windows, specify events and event counts in order to build rules that describe meaningful scenarios. It is easy to see that without experience and knowledge of a real word attack pattern most likely an organization will end up in one of two extremes: either the rules will fire very rarely or too frequently. In the first case, you simply will not be aware of incidents, in the latter your incident management process will be overloaded because of a huge number of false alarms. In fact, this will also lead to the same result – unnoticed incidents – as your staff is busy working on harmless artefacts.

From that perspective, it is no surprise that recent studies found that the average detection time of a security breach is more than 200 days, and that incidents often only get detected through observation from outside the organization. To make things worse, the log volume can reach quickly terabytes, which calls for an appropriate storage – and possibly increased license fees from the SIEM vendors. Security is entirely mysterious; this seems to be the quintessence for many organizations, but first let’s step back and have a look at where we want to get.
 

SIEM objectives

Log events need to be collected centrally and alerts need to be triggered in a timely manner with high precision. All events worth an investigation should be identified. Also, SIEM reports need to be aligned with the security policies of the organization in order to prove compliance. This implies that there can’t be a canned solution, but many organizations still seem to be searching for it. Adapting a SIEM will be quite a challenge, but it can be tackled. Properly tuned, 99.99% accuracy has been reported to be within reach, but how to achieve this?

Solutions

You should follow a top down approach: start with writing the logging policy. Only log data specified should be sent to the central log server. This will help you control your log volume while concentrating on the crucial events.
 
Next, make sure that you have identified your critical assets - your crown jewels. At the bare minimum, for these you will want to have log correlation. Connect your assets to your SIEM platform and make sure you have processes in place to register new and deregister decommissioned assets. Verify that all registered assets are sending log records on a regular basis. Make sure your capacity management and license management are monitoring storage and license usage.
 
Understand what a normal network behavior is within the context of your organization. Understand the taxonomy of attacks: what happens at which phase of an attack, and how this network traffic can be distinguished from a normal traffic.
 
Know your weak points. How long does it take for you to install the last updates?Is it because of business reasons that you cannot install an upgrade? Do your employees attend security trainings periodically?
 
Put these insights into rules. Define what needs to be done within what timeframe when an incident is observed and set up an incident response team. Having identified threats, vulnerabilities and the value of your assets before enables you to run a prioritized approach based on risk, which will increase efficiency. Start small: a few highly accurate rules are much better than a larger number of less accurate rules.
 
Consider using a state machine model to track, link together and escalate events over time. Make sure that, e.g. through a penetration test, your detection and incident response are indeed capable of detecting malicious activities.
 
And last but not least, adjust your processes based on performance observed, changes in your infrastructure and changes to the threat landscape.
 

Linking to an ISMS 

If you are running an SIEM to a good share because of compliance reasons, your main focus has to be on the consistency to your policies and the establishment of the reports that will allow you the verification accordingly. Also, automatic ticket generation would be desirable in order to prove that your processes are really working: if you have inaccurate rules and automatic ticket generation, most likely you will not be able to show evidence that security incident tickets are handled in a timely manner.
 
A good metric for judging the efficiency of an SIEM is the ratio of true incidents and total incidents reported. If this ratio is 99% or worse, a low maturity level can be stated.
 
Also, the response time is important: how long did it take from the first suspicious events to remediation? Is this time within the boundaries defined by SLAs and policies?
 

Conclusion

Introducing an SIEM to an organization without proper planning has the potential of becoming a real disaster. Therefore, make sure you have understood the challenges and have skilled and experienced staff to deal with this.
 
An organization that successfully implements an SIEM is PECB, a global certification body for persons, management systems and products. PECB has integrated its Events page with a ticketing system that is continually monitored for potential user issues. Apart from implementing those, PECB also offers educational tools such as training courses, webinars and articles to increase the awareness for other organizations on effective information security frameworks.
 

About the authors:

Friedhelm Düsterhöft is a Senior IT Security Consultant and Managing Director of msdd.neT GmbH, offering ISO 27001 implementation, audit and training services. Please contact him at fd@msdd.net to discuss your specific needs and challenges. msdd.neT is an official PECB partner.
 
Gezim Zeneli is a Portfolio Manager for Information Security at PECB. He is in charge of conducting market research while developing and providing information related to Information Security Standards. If you have any questions, please do not hesitate to contact: marketing.sec@pecb.com.
 
 

Infographic

View Infographic:

SUBSCRIBE TO OUR NEWSLETTER

Subscribe
Help Center

Training & Certification

Resources

Network

Examination

Certification

Company

Terms, Conditions, and Policies | Privacy Statement | Cookie Preferences

© 2024 Professional Evaluation and Certification Board. All rights reserved.

Scroll to Top