Mastering SIEM-projects succesfully – but how?

SIEM-projects are inherently complex, lenghty and require a substantial budget. How can SIEM-projects be successfully managed? In this blog article, Björn Steffens, Senior Security Engineer & Architect at InfoGuard, shares his many years of experience with SIEM-projects, describes the challenges they present and explains how to successfully manage them.

SIEM-projects and the challenges they bring

SIEM (Security Information & Event Management) makes it possible to take a comprehensive overview of IT-security. Analysing information from your infrastructure in real-time means that threats and vulnerabilities in the ICT-infrastructure can be detected, and they are then rapidly eliminated in a targeted way. And at the same time, you gain complete transparency over the security of your ICT-infrastructure, as well as boosting its long term security levels.

SIEM-projects rapidly become large-scale ones because many, if not all, areas of the IT-organisations are affected. Technically implementing SIEM itself is only a small fraction of the overall cost. Aspects of organisation and human resources also play an important role and are often not sufficiently explored. The following are the biggest challenges that manifest themselves:

• Organisation: There is always a large number of platforms across many different teams that need to be coordinated and integrated with the SIEM-solution and Incident Response platforms.
• Standards, or the lack of standards: Each vendor provides its own log formats and syntax. The maintenance and effort to keep these parsers or translators required to normalise the data so it can be analysed is cumbersome and time-consuming.
• Inhouse developed applications: Customer-specific applications are delivered with their own set of protocols and formats, which also need to be parsed and normalised. This adds to the already large set of vendor formats.
• Architecture and capacity challenges: Planning and scaling a SIEM-solution is extremely difficult, and it is unrealistic to expect that you will be able to get it right the first time.
• Available and qualified resources: As mentioned above, SIEM-projects requires experienced, technically skilled staff. A minimum of three different roles are needed to implement a SIEM-project: a security architect/security engineer, a security/SOC analyst and a coach or project manager. These are skills that are difficult to find within the job market.

What are driving the costs?

The majority of SIEM-projects often goes through at least one major and expensive architecture and capacity adjustment phase catering for the information that was missing during the initial functional and non-functional requirements gathering. So why is it that these adjustments become so expensive?

• The log sources, which provides the cyber security gold in forms of logs, are mostly manually configured or require custom work packages to be reconfigured and becomes a burden on top of already overloaded infrastructure teams.
• The SIEM-collection infrastructure is usually designed around complex network segments in order to get logs across routers and firewalls. Such changes need careful consideration and are by no means quick fixes. If SIEM-infrastructure components need to be moved or new components deployed that usually takes weeks to months to complete.
• The availability of infrastructure teams to assist with changes to network and log source configuration quickly becomes a challenge due to existing workloads or perhaps these teams are no longer available and have been outsourced.
• Because of the amount of technology and resources involved planning such changes becomes a larger endeavour in itself needing the necessary expertise having knowledge about the entire infrastructure impacted of such changes.

How to ensure that your SIEM-project is a success

Is there a way of avoiding these difficulties? Yes, and the answer is a simple one:

1. Appoint a project manager and assume that changes will have to be made. Ensure that the SIEM-architecture is designed in such a way as it allows modifications to be made to the infrastructure and that some “what if” scenarios are anticipated and detailed.
2. Focus on the scenarios you know could become costly. Ask yourself the question: “What happens if we need more capacity for X or Y here?” Then identify the answer and the measures required to answer this question and make sure that management is aware that in situation X, measure Y could be an option. Make the potential consequences transparent in terms of the funds and resources required.
3. The key to success is transparency. If a change to a SIEM-solution becomes necessary, all the stakeholders need to be involved.

What does the future look like?

The SIEM-tools of the future must be able to handle the following functional aspects. They must reduce the complexity, cost (implementation and operation) and the time needed for SIEM-solutions to start delivering benefits:

• Autodetection of log formats, syntax and what the signals are that something malicious is taking place or is a threat is building up and an attach could be imminent. The effort and time needed to develop and maintain parsers needed to normalise data should be removed from the equation. Here I see great potential for AI to deal with this. It must however be in an augmenting capacity.
• Log source configuration and filtering must become a central and automated function. The vast number of teams and organisations needed must be reduced to increase the speed at which the right logs are sent to the SIEM-infrastructure.
• The SIEM-infrastructure must be more agile in scaling collection, analytics and storage capacity without needing costly and lengthy infrastructure projects. Just pushing everything to the cloud is not going to be the answer here. For many years to come most installations will remain in customer data centres for various reasons.
• The analytic part of correlating, identifying attack patterns and vectors need to be automated and again in an augmenting capacity. The machine-based support that need to mature here should enable and weaponize SOC analysts with better, faster and high precision information about what is taking place and why.

If your SIEM-solution is not capable of addressing the challenges imposed by the architecture, EDR and network-based solutions will probably have to take over some of the SIEM-solutions. While solutions such as these bring their challenges, they do not have the immense impact on an organisation that a SIEM-solution has.

InfoGuard can assist you with the design and implementation of SIEM projects and offers you the appropriate SIEM-security-solutions such as IBM QRadar or Splunk. You can download our flyer about SIEM-service right now and get a lot of useful and interesting information.