Safety data and occasion administration expertise has lengthy been a cornerstone of the SOC — gathering, correlating and centralizing safety knowledge to allow extra environment friendly and efficient risk detection and incident response.
SIEM integrates with instruments, companies and endpoints throughout a corporation and handles large quantities of information, making migration a big endeavor. The excellent news is that considerate and strategic planning could make the distinction between a rocky and easy deployment. When you’ve not too long ago bought SIEM expertise or are within the technique of doing so, let’s look at some greatest practices for implementation.
Key SIEM deployment steps
Whereas each deployment is exclusive, the next key steps are advisable throughout most or all SIEM implementations.
1. Design the SIEM’s structure
The SIEM structure contains all of the supporting techniques that SIEM depends upon and interacts with. On this section, fastidiously think about the platform’s present and future efficiency, resilience and safety wants.
Establish and prioritize your group’s prime SIEM use circumstances, which ought to inform selections in regards to the structure. You probably have use circumstances that SIEM would not tackle by itself, think about adopting further complementary applied sciences or strategies. Organizations as we speak generally mix SIEM with different instruments, equivalent to SOAR and XDR, for instance.
Word each major and tangential prices when designing the SIEM structure and planning its deployment. Attainable unanticipated prices embody the next:
- Cyber risk intelligence feeds the SIEM ingests.
- Migration of saved log knowledge from the prevailing SIEM to the brand new SIEM.
- Parallel operation of the legacy SIEM and new SIEM as a result of a phased migration or log retention necessities.
- Lengthy-term log knowledge retention.
- Employees coaching on the brand new SIEM.
- Information ingestion-based pricing fashions, which may trigger unexpected value will increase. Within the case of an uncommon safety occasion, for instance, large jumps in logging might lead to skyrocketing prices.
2. Plan the deployment
The planning section may be surprisingly advanced as a result of quantity of techniques that work together with SIEM. For instance, a SIEM platform should combine with all of the applied sciences it depends on for data, together with logs, intelligence feeds, vulnerability and asset administration techniques, and some other applied sciences that present essential inputs.
Deployment additionally wants to incorporate all of the applied sciences the SIEM itself feeds — for instance, safety orchestration, automation and response; endpoint detection and response; and different incident response instruments.
You probably have a legacy SIEM in place, additionally, you will want to think about the next:
- Which customized dashboards, configurations and workflows might want to migrate to make sure continuity and guarantee essential safety alerts do not fall via the cracks.
- Whether or not your group must retain legacy log knowledge, equivalent to to satisfy regulatory necessities or set up efficiency baselines. If that’s the case, decide how and the place the legacy knowledge will reside — e.g., within the previous SIEM, the brand new SIEM or a third-party knowledge administration platform.
- Whether or not identified or unknown customers exist past SecOps, with use circumstances that might broaden the scope of migration and introduce further challenges.
3. Carry out a phased deployment
Quickly switching over to a brand new SIEM may end up in chaos and confusion, making it almost inconceivable to pinpoint the reason for a given drawback and repair it in a well timed method.
It is best, due to this fact, to run the previous and new SIEMs in parallel and progressively check and combine extra techniques with the brand new platform. Handle any glitches as they come up. Take a look at the SIEM to gauge efficiency, resilience and safety.
A caveat: Working two SIEMs in manufacturing for an prolonged time can overload workers. Safety leaders might want to stability the necessity for methodical deployments in opposition to environment friendly ones.
4. Configure and tune
SIEMs require a number of preliminary guide configuration — with fixed reconfiguration over time — to maintain false-positive and false-negative alerts at affordable ranges. Create and refine rule units and filters; tune alerts, thresholds and triggers; and develop and refine dashboards and studies to satisfy the group’s wants.
5. Replace insurance policies, processes and procedures
Ideally, this work begins within the earlier steps and concludes as SIEM nears full-production rollout. Practice personnel on the use and upkeep of the brand new SIEM.
Karen Scarfone is a common cybersecurity professional who helps organizations talk their technical data via written content material. She co-authored the Cybersecurity Framework (CSF) 2.0 and was previously a senior laptop scientist for NIST.
