As a part of our SIEM Best Practices Series, today we look at how you can work towards effectively measuring SIEM performance and assessing coverage of your data. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
It’s not uncommon to see Security Monitoring programs where the completeness of the log sources is not a metric to measure accuracy and promptness of the system. Such behavior may lead to negligence, which in the case of threat response management, can turn can be catastrophic. Log Management is a critical activity and should be benchmarked and measured for performance frequently.
If log sources as missing, we cannot confirm that a particular event or compromise didn’t happen, so from a forensic investigation point of view not having the logs from all the necessary devices might invalidate a hypothesis. We also can’t forget regulatory compliance – auditors will mark this as a finding.
The right way to do this is by correlating your CMDB with every log source. A dashboard can be created which analyses the last time logs were detected from every single one of your devices, per log source. This information should be available in real-time and when a given log source is not reporting any events in a predefined period, an incident should be raised for an analyst to investigate.
Keep in mind that all log sources need do not report equally. We recommend creating a dynamic alert that would only notice if the event count is significantly different from what was reported the previous week. Our team favors statistical analysis to solve this issue and avoid false positives for these types of alerts.
There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Our SIEM Best Practices White Paper gives you a clear roadmap. We invite you to get in touch with us to learn how we can help maximize the return on investment of your security program.