Robert Wortmann, Head of Strategic Security Consulting, Proact Germany
Central logging is becoming an increasingly important topic in many companies. Whether due to legal or auditing mandates, or due to your own desire for more centralised insight, technologies like SIEM are becoming more and more popular. In this blog article I’ll try to answer a few of the most frequently asked questions.
SIEM providers are now a dime a dozen and if you do a quick search of the market, it’s easy to see the benefits that they can bring. That said, here’s some ‘universal advantages’ that I’ve seen out there:
- 1.9 x faster than the competition
- Market-leader for 412 years
- Safer than everyone else
- Fully intuitive to use
- In the Gardner Quadrant, far enough to the top right that you cannot see us anymore
But let’s face it, SIEM systems are quite similar to end point scanners. The reality is that the big manufacturers aren’t that different and if I’m being really honest, SIEM projects are always annoying, costly and likely to fail. I’m finding it hard to keep count of how many SIEM projects I’ve seen fail at companies I know of. But why did these projects fail?
It was never really about the performance of the systems or other, measurable, factors. These projects were more or less doomed to failure. And here’s why.
A Mount Everest of logs, but no mountaineers available
‘And what do you do with your logs?’ This is usually my first question when customers tell me about their new central monitoring. For me, this is by far the most important question to ask.
Of course, up to a certain point, SIEM systems evaluate the logs themselves, correlate them, and analyse the results for anomalies. However, these automated assessments only ever work up to a certain point. You simply can’t avoid false positives and can’t think that every anomaly is an attack.
In order to evaluate these logs specialist expertise is necessary. Sadly, this often isn’t available in-house. Not having this knowledge within your department isn’t necessarily a bad thing and for most medium-sized companies, it doesn’t make economical or technical sense to hire people to do this job.
In summary, it’s wonderful to have central logs, but these must be evaluated.
Security is a 24/7 job
Sometimes I get tired of slogans like ‘hackers don’t sleep’, even though the statement is somewhat true. Attackers rarely stick to fixed hours, holidays or vacation periods. They decide for themselves when to strike and don’t pay any attention to occupational safety and health. But how can you offer 24/7 security?
Most medium-sized companies these days have staff ready on-call but when it comes to SIEM, this level of readiness isn’t enough. It’s important to keep an eye out for anomalies round-the-clock – waiting for the phone to ring does not provide enough protection. Despite this, in the case of most businesses I’ve spoken to, it doesn’t make sense for them to build a fully-fledged 24/7 security team with at least six employees.
Even when working with a SIEM service provider there’s the chance that something can happen – no technology or specialist team can protect you 100%. Nevertheless, we can ensure that you can relax a little more – you might even be able to take a vacation or get a full night of sleep.
SIEM is not a big data tool
The biggest issue I seem to have with competitors or customers is that they tend to fill their SIEM systems with as many log sources as they can. I always go for the exact opposite approach: fewer logs, the better.
In my experience, it’s much more important to evaluate the right logs, not all the logs. Let’s take an example: during VPN termination, I don’t need to fire up my SIEM system with all the successful authentications. In my opinion, I don’t even have to pass on the message if a user has logged on incorrectly. However, if a user wants to authenticate 10 times within 10 seconds, it is a clear anomaly in my view and has to go into the SIEM system. From there, I can still look at the RSA logs of the VPN solution based on this message. SIEM serves more or less as a navigation system.
With that theory in mind, the first tasks we complete during our SIEM as a Service PoCs are always:
- Selecting suitable devices: these differ from customer to customer, there’s no set standard here
- Adjusting the log level: normally the devices send in far too many logs
For a SIEM system to work properly, you have to clearly define the requirements. You can’t make demands that can’t be met by this type of system. Less but more meaningful input can shape better the results.
SIEM works great with other security or monitoring technologies but like I said, SIEM projects are often doomed from the start. Personally, I think that many companies have a misconception of SIEM and have unrealistic expectations. Of course, this is not the fault of customers, and these have developed because of false promises from the manufacturers who want to get ahead in this competitive market space.
As many have probably already noticed, or suspected after reading my first couple of lines, Proact offers SIEM as a Service.
As well as getting a completely hosted SIEM solution, we want to help our customers overcome the hurdles that make so many SIEM projects fail. Our two SOC teams evaluate your logs 24/7 and contact you if there are any anomalies, day or night. We then try to give you direct recommendations to eliminate these anomalies. During the implementation phase, we provide a full consultation to make sure meaningful logs are sent to our systems.
In conjunction with our managed service teams, we can also help you with configuration adjustments and a number of other things. With SIEM solutions, we don’t just see ourselves as a security service provider, but rather as your trusted advisor. We want things to work so you can focus on your core competencies once again.