Know Your Data – Step One to Proper SIEM Selection

1541

As IT systems become entrenched in almost every aspect of every business (yes, I know you have a friend of a friend who does fine carpentry and takes orders on paper… but I’ll bet even he relies on some IT systems to ensure he gets paid.), the need for Security Information and Event Management (SIEM) systems becomes almost mandatory.  Even a very small count of systems and technologies can quickly produce more logging information than any human can hope to, much less want to, review and process so using automated systems and even MORE computers makes complete sense.  Add to this, many industries or transactions involve compliance issues which require retention and monitoring of various security events and you quickly find that someone in the organization is researching top 10’s, ‘magic quadrants’, or some other reviews to determine their course of action.

Before building functional matrices and product scorecards, the best first step is to really look at the data your organization generates.

Know the systems you have.

Depending on the organization, the maturity level and the business model, you may have workstations, servers, network hardware and security devices, mobile platforms, application sets and a vast host of other systems.  Even in virtualized environments and cloud based SAAS solutions, business models where ownership or management of IT systems is kept to an absolute minimum, you will still contend with log management and monitoring issues.  Questions which need to be answered include:

  • What data is being generated?
  • How is data being transmitted, collected and stored?
  • How common is the data you have?
    • Do you rely on well-known vendors?
    • Do you create or maintain custom applications or platforms?
  • How MUCH data are you generating?

Answering these questions is the first step in setting the boundaries for your selection process.   Vendors specialize in many aspects of the SIEM spectrum and there’s little to be gained considering a solution which touts its ease of use based on common log sources if you know you need to support extensive custom logs and events.  Conversely, an organization with single-vendor solutions for PC, server and network solutions may not need to bear the added expense of solutions focused on flexibility.

Know the data you want to and need to keep.

As stated in the original paragraph, we work and operate amongst IT systems which generate vast quantities of data and it’s easy to develop a desire to store everything on the off chance you might need to or be able to use it later.   The biggest issues become the unexpected performance and price impacts you may incur.  Again, given your organizations regulatory requirements, there may be certain data you must keep and timeframes you must keep it.  Beyond that, there are certainly Use Cases promoted or supported by vendors and/or beneficial to your organization which require specific data sets.  These may develop and expand over time, requiring the inclusion of additional information. Making the effort to identify these needs and the progression of development and tailoring your data collection and retention accordingly can have significant impact on SIEM solution choices and this also leads into a final aspect of data knowledge.

Know what you want to do with your data.

Data abounds and use cases abound.  While certain alerting and correlations are either requirements or fairly straightforward correlations from common data sets, it’s worthwhile to take the time in the early stages to consider just what you want from your data.  Put another way, how intimate do you want to become with your data?    If information management is core to your business model, then the security or operational aspects gleaned from extensive review and processing of your data sets could give you a distinct economic advantage over your competition or avoid crippling losses from an undetected breach.  A deep understanding of your data sets and developing plans on how and how extensively you intend to inspect your logs will directly affect your SIEM selection criteria.

Ultimately, securing your IT systems and data is an exercise in risk management.   Although it can be difficult to project an ROI against an ‘avoided loss’, it’s clear that developing budgetary constraints is a requirement.  By taking the time to first learn about your logging data and developing a plan for what reporting is needed and then desired, you can tailor your SIEM selection criteria for your environment and match any given vendor’s strengths against your requirements.

About Keith Lawman
Keith-LawmanKeith Lawman is a graduate of Georgia State University with a Master’s Degree in Computer Information Systems, Keith has over a decade of experience in network design and deployment, telecommunications and multi-platform systems administration. Keith joined the ReliaQuest team in March, 2014 and works with the RedSeal network infrastructure security platform and SIEM integration, primarily with Splunk and ArcSight.
In this article