How to optimise the performance of SIEMs
With the following best practices, organisations can save up to 30% on their SIEM licensing costs per year, while significantly increasing the performance of their SIEM for faster detection, response and investigation of potential threats and security risks
Balancing efficiency and cost is key in every organisation. As basically every company has now become an IT company as well, IT departments are especially under tremendous pressure to "do more with less." With more and more assets going digital, monitoring the health and safety of your information infrastructure and using the insights you gather in a meaningful way can overwhelm even well-prepared teams.
It's no surprise that SIEMs (Security and Information Management Systems) often act as the nerve centre of enterprise security systems, and are a key part of a successful IT security strategy. But with everything going digital, the usage data that companies have to collect, store and digest is rapidly getting out of hand – so much so that organisations must either continually increase their SIEM budgets or else try to luck out high impact malicious activities. Also keep in mind that SIEMs are mainly good at creating analysis and reports and not for improving the baseline and foundation they build on: logs.
Optimising your SIEM (whether to save costs or improve your security operation's efficiency) is most easily and effectively done by also optimising your log management. Implementing a few key best practices will help you achieve huge immediate and long-term improvements, which will be realised both in your SIEM operation and in other areas such as compliance audits and – more generally – in making your SOC (Security Operations Center) team's life easier.
Top 8 best practices:
1. Avoid compatibility issues: your analytics can be only as good as the data you work from: Since most networks are very diverse, when choosing a log management tool, pick one that has a wide platform and log source support (including but not limited to syslog formats, simple text files, database files like SQL, Oracle, SNMP traps).
2. Extract the valuable information from logs and feed your SIEM a reduced amount of log data: Your "SIEM-feeding" tool should also be able to process and provide structured and unstructured data, and have transformation features like filtering, parsing, rewriting, classifying at disposal. With such a feature set, you only need to forward the most valuable information and thus significantly reduce (real-world use cases show up to 40% savings in 1 year) your event-based SIEM licensing cost, or provide an enriched and reformatted log stream for easier analysis.
3. Ensure regulatory compliance with your default log collection and storage: Transformation features like anonymisation and pseudonymization are important to comply with international data handling and privacy standards like PCI-DSS, HIPAA and the upcoming GDPR in the European Union.
4. Compress your log messages: It's also worth noting that both internet and intranet network bandwidth can vary greatly, so your log management tool should be able to work even in very bandwidth-limited situations. Compressing log messages on the fly can radically reduce bandwidth consumption, and make your central log collection faster which also results in faster response to potential security or operational risks.
5. Be sure you're losing no more than exactly zero log messages: What if you lose a single a log message? Probably nothing happens, unless it happened to be the only sign of an ongoing data breach. Message-loss prevention features like buffering, failover destination support, message rate control and application-level acknowledgement are very important. Be sure that nothing gets is as a result of a temporary failure of your logging infrastructure, or because it isn't up to the task.
6. Rich functionality should be accompanied by highly scalable and reliable performance: Specialised tools with robust architectures can handle traffic ranging from just a few hundred logs per sec to up to hundreds of thousands of events. There are a lot of moving parts, dependencies and variables here, but generally speaking, unless you're web-scale, you shouldn't have volume-related problems, even with active indexing.
7. Integrate and feed your SIEM with Privileged Activity Monitoring data: Although most user activities leave traces behind in logs, there are several user actions (especially those executed by privileged users through the administrative protocols such as SSH or RDP) that cannot be seen in logs or SIEM analytics. By integrating a SIEM with a Privileged Activity Monitoring solution, organisations can analyse the riskiest user activities in real time to help prevent the most costly types of cyber-attacks and privilege account misuse.
8. Prioritise your SIEM alerts: Does your organisation receive too much log data or too many SIEM system false positive alerts for immediate investigation by a small, over-taxed security team? The fact is that an average security professional usually has just 7 minutes per SIEM alert to decide whether an APT attack is underway or a user just opened a phishing email. Based on how privileged the user in question happens to be and the difference in situational behaviour versus the original baseline activity, User Behavior Analytics solutions can pinpoint the riskiest security issues. And that's exactly why your organisation first launched its SIEM solution: to dramatically reduce the time needed to detect, respond and investigate potential threats, and to return the enterprise to full security.