Thinking of buying a SIEM? Read this first.

Are you really ready for a SIEM?

SIEMs are a sophisticated tool which can help an organisation identify potential threats. However, the price of the tool is just part of the solution, as they come with very high monthly running costs and the added expense of hiring, training and retaining staff qualified to use them.

Moreover, even when used correctly, their powerful capabilities may be able to constantly assess the digital landscape, but doing so means they often generate a high number of false positives, as well. This can potentially eat up large swathes of employee time as they sift through the pile, as well as increasing boredom and encouraging complacency through a “boy who cried wolf” dynamic.

As such, you need to carefully consider if you are really ready to take the leap to a SIEM. SIEMs are usually suited to relatively mature organisations; Dr Anton Chuvakin has done an excellent job of defining the criteria which might precipitate graduation to an SIEM. For organisations that are not that advanced in their cyber security journey, however, a dedicated SIEM could be (and often is) an extortionate form of overkill, which actually slows down its workforce and weakens its defences rather than bolstering them.

Define your why

Any business looking to purchase a SIEM should first and foremost ask themselves what they seek to achieve by doing so. SIEM vendors may try to bamboozle potential buyers with impressive-sounding metrics like events per second (EPS) or gigabytes per day (GB/day), which often mean nothing to those in charge of a company and can actually penalise for collecting data, thus incentivising logging less of it.

Instead of focusing on products, we always encourage customers to concentrate on which outcomes you’re hoping to achieve.

SIEM vs SOC

A SIEM is a product, normally leveraged by a team of cyber security professionals, whose job it is to detect and respond to cyber security incidents. This team is normally referred to as a Security Operations Centre (SOC).  

We have seen over and over again organisations who have gone to market to buy a SIEM, when in reality what they actually wanted was the outcome of a SOC, enabling them to detect and respond to cyber security incidents. That is why understanding your “why” is critical to getting the right outcome.

By buying a SIEM solution, organisations forget that you need to also consider the cost of the infrastructure, the engineering teams to water and feed the solution, and the incident response teams to actually deal with the output. A SIEM by itself, with none of the related investment, ends up being a very expensive log aggregation solution.

Pinpointing where exactly your business is in its security maturation process and how it hopes to leverage its SOC will help to determine which services you require. Here’s a brief summary of the six stages on the SOC maturity curve:

SOC Maturity Graph.png

1)      Data logging and storage

An effective and inexpensive option for companies looking to take their first step on the cyber security ladder is the use of log management services to store logs and alerts in a centralised location. This can offer a modest improvement in terms of your online security and provide a safe repository in the event of a breach, through which you can sort for evidence in determining its cause and how to prevent it happening again. At this point, an organisation should focus more on the quality of the data going in to the logs rather than the duration it is kept for; 90 days of valuable historical data is an excellent resource for an external forensic analyst to work with and a superb starting point for companies which currently do nothing. You don’t need a SIEM to do this.

2)      Data mining and reporting

Once you have a solid base of data to work with, you can begin mining it. Using information collected from your firewalls and intrusion detection system (IDS), you can build useful dashboards which monitor metrics like the following:

  • Devices which stopped reporting in the last 24 hours.

  • Real-time administrative log-ins to the company infrastructure.

  • Individuals granted privileged access in the last 48 hours.

  • Average outbound network traffic.

These kinds of dashboards can be easily created using simple tools like Kibana or PowerBI and offer a massive step-up from stage one… and you still don’t need a SIEM or SOC to do this.

3)      Data analysis

With a good collection of logs and several dashboards now in place, you can begin analysing the data you have gathered. This is where a SIEM can begin to add value to your system, since it can correlate different logs to create actionable insights and prevent potential attacks. For example:

  • Admin1 account had five failed log-in attempts, followed by a successful log-in.

  • JohnB account accessed three different devices in five minutes.

  • ClaireD account accessed several non-Alexa top 1,000 sites and received a “virus detected and removed” message from the anti-virus system.

In all of the above examples, the individual instances are not suspicious, but taken together they constitute unusual behaviour that is worthy of further investigation. This kind of interpretative capability is the basis of data analysis and, when employed proactively, can allow you to detect potential threats as they surface and neutralise them before they become a problem.

The key activity in this stage is pre-emptively identifying “interesting” (read: dangerous) scenarios which could represent a threat, as this can lead to high-quality alerts that can be followed up by security analysts. To achieve this, you’ll need the SIEM or other infrastructure in place capable of logging and correlating the data, as well as the engineers to water and feed the platform and the analysts to investigate the alerts it raises. Other satellite teams, such as malware analysts, reverse engineers, forensic investigators, sandboxing experts and 24/7 responders may also come into play. This is the first stage where a SIEM becomes a key part of your maturity.

4)      Security orchestration, automation and response (SOAR)

While the previous stage lifts the lid on a whole range of pre-emptive detection capabilities, it also has the potential to create a large number of false positives, which can exhaust and exasperate the analysts tasked with investigating them. In order to avoid employee burnout and discourage low-retention rates, it’s now necessary to introduce automation into the process. But far from endangering human jobs, delegating the high-volume, heavy-lifting workload of scrutinising password resets, brute force attacks, malicious IP blocks and the suchlike to a machine will free up the human workforce for more interesting, enjoyable and profitable tasks. This will not only streamline the process and make it more efficient, but boost employee morale in the process.

5)      Searching for unknown unknowns

The next stage of SOC maturity involves a process known as “threat hunting”, whereby “hunters” examine the data for anomalies that they can’t yet explain but which may pose a threat. This kind of threat detection is often highly influenced by external factors such as existing intelligence about the cyber crime climate, including shared learnings about the indicators of a compromised system from public and private groups around the globe based on knowledge of recent threat actor tactics, techniques and procedures (TTPs). It’s a sophisticated form of threat detection which can be described as searching for the unknown unknowns that could cause the company harm.

6)      Red team vs blue team

The final stage in a SOC’s maturity cycle is the introduction of a simulated threat actor or actors, whose sole job is to highlight weaknesses in the SOC’s defences and help them to convert those into strengths. As Daniel Miessler explains, this can be understood in terms of a blue team (the SOC) defending against a red team (the simulated threat actors), whereby the latter exploits the vulnerabilities of the former so that both can improve the overall robustness of the company’s defences. Miessler also goes on to point out that a so-called purple team, which mediates between the two, is superfluous if both blue and red are doing their jobs properly.

Finding your level

As you can see, there are many levels of cyber security maturity and not all of them will benefit from the addition of a SIEM. The good news is that Quorum Cyber is capable of providing services for every stage of this maturation process, meaning we are equipped to help you beef up your online defences and minimise the chances of a data breach, wherever you’re currently at. Working closely with you, we can identify at which stage your organisation is with regard to its cyber security capabilities and use that information to determine which service package will best benefit your unique situation.

To talk to one of our experienced cyber security specialists about pinpointing your company’s SOC maturity, or to learn more about the services we offer, get in touch with us by filling out our online form or giving us a call on +44 333 444 0041. We’re waiting to hear from you.

Darren Phillips