Joe Schreiber, solutions architect at AlienVault, discusses five clear ways in which SIEM can save you precious time
Security Information & Event Management (SIEM) often has a problem with how it is perceived. Misunderstanding of SIEM can give the impression you need teams upon teams of people to implement the tool properly.
However, when explained properly, it can be clear that it’s a great automation tool and works particularly well as a time saver.
Here, Joe Schreiber, solutions architect at security management firm AlienVault, discusses five ways in which SIEM can save precious time:
Wouldn’t it be great if there was a better name for Security Incident and Event Management (SIEM)? Perhaps something like Management and Automation of Great Information and Compliance – or MAGIC. It has a much better ring to it (maybe this is the reason I don’t work in marketing). However, in addition to the name, SIEM also has a perception problem. It’s often seen as daunting tool, requiring teams of people to set it up, teams of people to manage it and a PhD to understand it’s output. Like many things misunderstood, once you get to know them, you realise they aren’t as intimidating as you anticipated. SIEM at its core is really an automation tool. Often the result of this automation is an Alert/Alarm for someone to investigate but this process can be used for so much more. Like any good tool, SIEM can save time and with limited resources, time is precious. Here are some examples of how:
A SIEM can have a variety of events come in for analysis. They vary in priority as part of Risk Scoring, but they also differ in the skillset needed to address them. In fact, this logic of “what do I work first?” and “who works what” can all be handled from inside the SIEM. Should an intrusion analyst be working alarms for a Link Down on a switch or should your network admin? Let the SIEM perform this initial event triage and avoid the time wasted from overlap.
2. Batch Processing
The prioritisation of events by the SIEM gives you the option of working events of low priority in batches. Generally these low priority events have a small marginal labour cost, so batching them together can really save time. A pertinent example of this would be software updates. IDS and many other systems feeding your SIEM will send alerts when they see vulnerable software activity. Running a periodic report from the SIEM can batch this task; use that data to set the work queue of updates or even feed another system to perform the updates. This method also keeps these low events out of the queue so they never occlude the high severity events.
Threat Intelligence can yield the highest time savings, though it’s also one of the more difficult ones to quantify. Having said that, it is very easy to integrate into most SIEMs and some even have it built right in. The crowd sourcing power of the Internet brings a level of awareness and, even more importantly, confirmation and reliability to forensic investigations. Threat intelligence can add more value from log data this is already being processed, helping find that proverbial needle in the haystack of information – with less effort.
4. Proactive Blocking
Though SIEM’s nature is rooted in the detection aspect of security, it’s perfectly capable of performing active blocking through the use of shuns, account locking and other access control methods. Using Threat Intelligence or Vulnerability Scanning as sources for blocking can help security teams gain time while they potentially wait for patches or try to prevent the spread or exfiltration of data. However, there is a caveat to this: there must be full auditing for any type of blocking the SIEM may do. This is because if an outage occurs, the SIEM will need to be immediately eliminated as a cause in order to have the ability to roll back the block.
5. Investigation Preparation; aka Pre-Investigation
The ability to investigate all alerts through scripting is assuredly a great goal, though in reality that day will likely never arrive. I’ve scripted myself out of many other projects and jobs, trust me – so far security isn’t one of them. However, a more practical approach is to use scripting to gather information an analyst may need for an investigation. If the alarm is indicating malware, perhaps a script could perform an automatic capture of the host’s memory. This gets data as close in time to the incident as possible. It also saves time as the analyst has all the information they need before they even start the investigation.
SIEM should not be intimidating, it’s a valuable time saving tool that is effective in organisations of all size. Effort put into customising a SIEM will yield long-term time savings and will improve reaction time to all incidents, something that is crucial to all businesses.
How much do you know about Internet security? Take our quiz!