Practitioners Detail Evolution Of SIEM Deployments

  /     /     /  
Publicated : 22/11/2024   Category : security


Practitioners Detail Evolution Of SIEM Deployments


Most companies progress through three stages, though many get stuck at the very beginning, they said



SAN FRANCISCO -- RSA Conference 2011 -- As organizations embark on new installations of security information and event management (SIEM) systems, theyll need to remember that the use of SIEM is more of a growing process of evolution rather than a straight deployment, two experts told a crowded session at RSA this week.
Ben Murphy of Gladiator Technology, a government integrator, and Bradford Nelson of an unnamed but large federal agency each doled out advice based on their experience with years-long SIEM installations. Nelson explained to the audience that the typical deployment follows a three-stage time line that starts with infancy, then moves onto growth, and then, hopefully, blossoms into maturity.
The infancy stage starts with the compliance-focused checkbox mentality and is mainly concerned with the security information management elements of SIEM, primarily collecting logs for audit purposes. Nelson estimates that about 80 percent of the industry is stuck in this compliance-centric grind.
Typically you see a lot of organizations stay in this stage, unfortunately, just due to manpower or loss of sponsorship, he said of the infancy stage.
He recommends that organizations ideally spend about six months in this stage of deployment. Any more and they dont get enough out of the tools theyve spent so much to install, and any less and they risk a project disaster.
Keep the bar low at the beginning; just get that information in there and get your baseline, he said. If you try to blow it up all at once at the beginning with the threat and anomoly detection and threat analysis and response, youre going to fail.
Moving into the growth stage is when organizations begin to utilize the security event management aspect of SIEM, utilizing real-time monitoring.
One of the core capabilities of SIEM and the whole point of having it is to add context to data and make it available and actionable, Nelson said, explaining that to get there organizations must work on identity and network modeling, which can take some time and be a manual process.
Organizations that truly evolve to the mature stage are those that are able to streamline SIEM analysis into IT operations processes so that security is part of the overall IT framework.
This is where security is operationalized, Nelson said.
In this stage organizations are taking advantage of external security feeds, have tackled onboarding processes, are analyzing business behavior, and are truly utilizing business context to make decisions.
According to Murphy, to get from infancy to maturity it is critical that organizations remember that threat prioritization is key.
You might have a lot more usable information coming at you than you initially expect; it could be hundreds of things per hour that need to be looked at and addressed in some fashion, he said. So it is important that theres a really strong prioritization algorithm in place.
He explains that the high-medium-low severity prioritization doesnt scale well in large organizations. The method he uses takes into account not only severity, but also the age of the risk and the prioritization category it falls in as it relates to the application and the business.
High-medium-low is not a really very scalable methodology for prioritizing severity, he said. That doesnt really play well when youre trying to figure out if a high severity threat yesterday is more than a low severity one that happened a long time ago.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Practitioners Detail Evolution Of SIEM Deployments