For many companies, the “boy who cried wolf” isn’t a fable. A constant stream of security alerts generated by security information and event management (SIEM) systems can’t distinguish the wolf from the sheepdog, or even the sheep. A study by the Ponemon Institute found that typical companies receive 17,000 malware alerts a week, and fewer than 3,500 are reliable. Only a much smaller fraction, about 700 alerts, is investigated. And those are just malware alerts, not other kinds of threats.
Most companies can’t add enough staff to review and respond to all the threats. For you to protect yourself, you need to make better use of your tools to highlight the most relevant threats that need a response. Pay attention to these points to make sure you’re gathering the right information and using it effectively.
KNOW YOUR BUSINESS
Start by understanding what you really hope to accomplish by using SIEM. Develop a series of use cases that identifies the kinds of risks you want the SIEM to help prevent. These can be things like preventing brute force attacks or employee responses to phishing emails. Once you know what you hope the SIEM will achieve, you can tailor its configuration to support that goal and eliminate alerts that aren’t relevant to that purpose.
KNOW YOUR NETWORK
Your SIEM tools can’t know what’s normal for your network if you don’t. Spend time to understand your network and the typical events that happen. Once you know what behaviors are expected, you can configure your SIEM so it doesn’t alert on them. Once unexpected behaviors are reviewed and deemed “not a threat,” the SIEM tools should be configured to ignore them also, so you don’t waste time on them when they recur.
KNOW YOUR APPLICATIONS
If you want your SIEM tool to monitor logs as well as network events, and you probably do, make sure it has access to them. You may need to configure application settings to ensure that the information you need is written to the log files and made available to the SIEM.
KNOW YOUR DATA
Use the 80-20 rule to focus on the data that’s the most likely target and presents the biggest risk if it’s exposed. Make sure that data is in a secure network segment, and focus the monitoring there.
You can also protect data by adding monitoring of outbound traffic. Tools that monitor outbound traffic help prevent data loss due to malware that made it through the inbound monitoring. As with SIEM, getting the most from data loss prevention software requires knowing what’s normal for your traffic. You can block traffic to a known set of IP addresses, but more sophisticated tools can recognize sensitive information and keep it from leaving your network at all.
ADD TOOLS TO REVIEW THE ALERTS
The alerts generated by SIEM are really just data; they aren’t knowledge. An information security analytics product like IKANOW can take in the raw data from your SIEM tools and turn it into prioritized, actionable information that lets a cybersecurity team focus on the important threats. The threat analysis incorporates knowledge of events outside your company, combining historical information with trend analysis to correlate alerts to actual risks to your assets. With this knowledge, information security teams can take prioritized action to continue to protect the highest priority data and assets based on likelihood of risk, severity of vulnerability, value of the at-risk data, or a customized combination of all of these factors.
DON’T TURN IT ON AND WALK AWAY
Configuring SIEM isn’t a one-time event. Because new threats constantly arise, new servers are added to your network, and new applications are continually deployed, SIEM configurations must be reviewed frequently to make sure they are suited for your current environment, not the environment as it was when the tool was deployed. Revisit your SIEM periodically to tune its settings and make sure it’s still generating data you can use.
