No SIEM technique, platform or service is ideal. Enterprise wants and circumstances change. Suppliers and choices evolve. New choices come up. Inevitably, many organizations should ultimately migrate from their present SIEMs or SIEM suppliers to new ones.
Upon deciding a new SIEM is important, the CISO ought to method implementation strategically, guaranteeing necessary knowledge, guidelines, playbooks and workflows stay out there throughout and after the transition. A profitable and accountable SIEM migration additionally minimizes disruptions stemming from the invention of forgotten technical integrations and undocumented use circumstances. Â
Don’t neglect the information
The lifeblood of a cybersecurity operation is knowledge: knowledge about entities within the atmosphere, knowledge about what these entities are and are not purported to do, knowledge about how these entities behave, knowledge in regards to the cybersecurity infrastructure itself and so forth.
Earlier than a SIEM migration, CISOs should lay cautious plans to make sure vital knowledge from the outdated platform is preserved and usable by the brand new one. The next knowledge is very necessary:
Entity behavioral knowledge. A zero-trust atmosphere requires three sorts of knowledge: coverage knowledge that dictates which entities are allowed to speak to one another, id knowledge that determines whether or not an entity is in actual fact who or what it claims to be, and behavioral knowledge that reveals how entities act within the atmosphere and whether or not these actions deviate from baseline norms. Whereas not concerned in sustaining coverage or id knowledge, the SIEM is integral to accumulating behavioral knowledge. When switching instruments or suppliers, a CISO should make sure the safety group can protect and switch baseline behavioral knowledge for all entities within the atmosphere.
Coverage enforcement knowledge. Logs displaying safety coverage enforcement are necessary to incident investigations, incident response and after-incident reporting. This knowledge ought to switch to the brand new SIEM platform and stay out there throughout migration. At each step of the transition, it should even be clear to the safety group which platform — outdated or new — is the authoritative supply.
Compliance-related knowledge. Many organizations are required by legislation to take care of cybersecurity-relevant log knowledge. For instance, energy utilities and telecommunications suppliers should have the ability to present proof that they have been, at any given cut-off date, compliant with particular safety necessities of their respective industries. Guarantee continuity in compliance-related knowledge assortment and ensure that historic knowledge from the outdated platform can be out there after migration — both by ingestion into the brand new device or by way of an archival platform.
Take customized guidelines, playbooks and workflows with you
If knowledge is the lifeblood of cybersecurity, automation is quickly changing into its beating coronary heart. Some SIEM automation consists of clearly SIEM-specific issues, comparable to — probably on the behest of one other device or human operator, or probably based mostly on the SIEM’s native consumer and entity habits analytics performance — instituting additional monitoring on a community entity that’s performing unusually.
If knowledge is the lifeblood of cybersecurity, automation is quickly changing into its beating coronary heart. John BurkeAnalysis analyst and CTO, Nemertes Analysis
Much less clearly, a number of aspects of automation and course of data are sometimes now embedded in SIEM methods and companies, which — like many cybersecurity instruments — have porous useful boundaries. SIEM platforms can play key components in incident response, for instance, and may additionally function repositories of institutional data within the type of automated workflows amongst roles or groups. Throughout a SIEM migration, CISOs ought to take note of preserving necessary automation and course of data, comparable to the next:
Customized detection guidelines. SIEMs filter incoming knowledge to search for notable occasions and anomalies. Any event-parsing guidelines the group has developed, or {that a} service supplier has developed on its behalf, must be documented for replication within the new platform.
Preservation of organization-specific playbooks and workflows. Incident response playbooks outline the steps that employees and automation instruments ought to take within the occasion of a suspected or confirmed cybersecurity incident. Workflows automate lots of the actions and processes that playbooks dictate, in addition to day-to-day operational processes. Guarantee all energetic and related workflows and playbook parts from the outdated SIEM platform are replicated within the new one. Observe that energetic and related are necessary concerns. A SIEM migration is a chance to prune useless wooden by abandoning workflows or playbooks which have been outdated however not but deleted.
Reduce surprises: Forgotten integrations and unknown customers
A SIEM migration stress checks how effectively the cybersecurity group is aware of itself and the bigger enterprise. Typically, the precise migration course of uncovers forgotten integrations with different cybersecurity methods or community administration methods.
Equally, it isn’t extraordinary for different SIEM stakeholders within the enterprise to be flushed from the underbrush by the transition. For instance, software builders would possibly quietly lean on the SIEM in some beforehand undocumented means and fail to make their use case recognized till the migration disrupts it.
Late discovery of a gaggle whose wants ought to have influenced necessities for the brand new SIEM would possibly end in solely a slight delay within the migration’s timeline. Be warned, nevertheless, that this oversight can simply drive up bills, particularly if required options price additional within the new platform, or if the brand new SIEM cannot meet the group’s wants — forcing a brand new spherical of product choice.
John Burke is CTO and a analysis analyst at Nemertes Analysis. Burke joined Nemertes in 2005 with almost 20 years of know-how expertise. He has labored in any respect ranges of IT, together with as an end-user help specialist, programmer, system administrator, database specialist, community administrator, community architect and methods architect.
