As a part of our SIEM Best Practices Series, today we look at how you can work towards strategies to reduce cost by eliminating unnecessary data. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
We’ve done “SIEM Health Check” engagements where logs were ultimately reduced by over 60% yet we improved detection efficiency by 100%. Security monitoring tools alone will not improve your security posture. It’s not about buying more tools and storing more logs, it’s about being smart about what information is needed to detect threats.
There are different approaches to address on this issue. First, list the current use cases and identify if any of the collected logs can be discarded or archived. If you can manage to do this quickly, then most of the job is done.
However, in some cases getting rid of logs can be complicated, especially when it’s required for compliance. If so, the best option is to store that data in low-cost and independent storage so that your SIEM won’t have to deal with it. Every log that goes into your SIEM is consuming resources, not only storage but also processing power to parse and correlate.
We recommend an intermediary platform for log collection that allows you to easily redirect logs that are not mission critical, reducing the noise on your SIEM.
The intermediary infrastructure can be built with multiple opensource technologies, and we recommend Apache Kafka or Fluentd, which we have implemented successfully in the past. Overall, this will allow you to reduce the total cost of ownership for SIEM significantly and particularly so if your SIEM of choice is a commercial solution that charges you by volume of logs collected.
Remember…. People, Process, and Technology – in that order!
There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Our SIEM Best Practices White Paper gives you a clear roadmap. We invite you to get in touch with us to learn how we can help maximize the return on investment of your security program.