SIEM - What Are You Really Monitoring?

6/11/20, 8:53 am

Security Incident and Event Management (SIEM) implementation in SOC services is a rapidly improving field. SIEM is still a key tool used to keep an eye out for unusual events on company assets or abnormal network traffic. But are monitoring logs efficiently alerting your team on verifiable security incidents? Or is your team inundated with false positive alerts and unnecessary logs?

SIEM use case development and fine tuning is paramount to ensure:

  • Analysts receive real-time alerts on security incidents
  • Analysts can investigate and respond quickly to these security incidents
  • Analysts don't experience burnout or fatigue from responding to false positive alerts
  • Incident investigation isn't hampered by slow log ingestion and having to filter through unnecessary logs
  • New analysts can easily triage and investigate lower priority alerts through well documented processes and insightful dashboards

The top-down approach is a useful method in use case development. Using this method, the SIEM development team works with key stakeholders and teams in the company to determine what types of security incidents need alerts. For example, if you're developing a SIEM platform for a financial institution you might need to consider tracking access to cardholder data for Payment Card Industry Data Security Standard (PCI DSS) compliance. The team would also determine critical and/or major business functions and assets aligning to business requirements, ensuring that your employees, customers, and intellectual property are protected.

Once these key security incidents are identified, the team can begin the design of the correlation rules, alarms, watchlists, reports, and dashboards that the analysts will use in their investigations. Following the design of these elements, the team can determine the required asset logs and network traffic that will need to be ingested into the SIEM platform and any filtering on the log sources that might need to occur to reduce noise.

Triage and notification processes can also be input into the use cases developed. This provides a playbook for analysts to follow when a use case triggers. This helps to identify and then notify key contacts.

This top-down approach ensures that only the required logs are ingested into the SIEM, reducing the amount of noise analysts would need to sift through to find priority or investigation relevant events. Adding new use cases or modifying existing ones over time will further mature the SIEM platform.

The more structured your SIEM platform is, the more effective it is to alert on positive security incidents rather than reducing analyst efficiency in needing to investigate alerts that end up being false positives.

NEC's SOC Services follow the top-down approach in the creation and maintenance of use cases across various SIEM platforms.

NEC can assist organisations with:

  • Utilising NEC’s existing offering that includes a huge database of tested use-cases with minimal to zero false positives
  • Building, maintaining, and monitoring a new SIEM environment complete with up-to-date use cases and threat intelligence
  • We can also transform your existing SIEM environments to generate efficient and reliable alerting and reporting of your network

For more information see what NEC can help you with..

Mark Chadwick - NEC Australia Head of Safer Cities

Alison Dean
Security Analyst