A security information event management (SIEM) solution is like a GPS that drivers use. Without one, enterprise IT is driving blind. Although security appliances and system software are good at catching and logging isolated attacks and anomalous behavior, today’s most serious threats are distributed, acting in concert across multiple systems and using advanced evasion techniques to avoid detection. Without a SIEM, attacks are allowed to incubate and grow into disastrous incidents.
Companies have the same concern – having good visibility is an issue. And if you do have visibility, how are you handling the volume of data. There are simply too many alerts to work with. The more data you collect the more work you have… “to whom a lot is given, a lot is expected”.
Below are best practices to help you leverage your investments in a SIEM product:
- Align the Security Monitoring process to your business goals.
- Identify all your available log source technologies.
- Define use cases and how log source technologies can help you.
- Understand the gap and add necessary log source technologies.
- Reduce cost by removing unnecessary log source technologies.
- Document the infrastructure, log source endpoints and data library definitions.
- Document an Incident Response Plan and actions for your defined use-cases.
- Measure the performance and coverage of your log sources.
- Measure the performance or usage of your alerts and dashboards.
- Monitor infrastructure performance and prepare for future use-cases.
Determining the best SIEM system for you
Each organization should perform its own evaluation, taking not only the information referenced above, but also considering all the other aspects of SIEM that may be of importance to the organization. Because each SIEM implementation has to perform log management using a unique set of sources and has to support different combinations of compliance reporting requirements, the best SIEM system for one organization may not be suitable for other organizations.