As a part of our SIEM Best Practices Series, today we look at how you can work towards strategies to reduce cost by eliminating unnecessary data. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
We’ve done “SIEM Health Check” engagements where logs were ultimately reduced by over 60% yet we improved detection efficiency by 100%. Security monitoring tools alone will not improve your security posture. It’s not about buying more tools and storing more logs, it’s about being smart about what information is needed to detect threats.
There are different approaches to work on this issue. First, list the current use cases and identify if any of the collected logs can be discarded or archived. If you can manage to do this quickly, then most of the job is done.
However, in some cases getting rid of the logs can be complicated, especially when it’s required for compliance. If so, the best option is to store that data in low-cost and independent storage so that your SIEM won’t have to deal with it. Remember that every log that goes into your SIEM is consuming resources, not only storage but also processing power to parse and correlate.
We recommend an intermediary platform for log collection that allows you to easily redirect logs that are not mission critical, reducing the noise on your SIEM.
The intermediary infrastructure can be built with multiple opensource technologies, and we recommend Apache Kafka or Fluentd, which we have implemented successfully in the past. Overall, this will allow you to reduce the total cost of ownership for SIEM significantly and particularly so if your SIEM of choice is a commercial solution that charges you by volume of logs collected daily.
Such an alignment is an ongoing process that will reap results in the medium and long term. But, we’re just scratching the surface There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Which is why we recently released our SIEM Best Practices White Paper to allow you to set-up/revise your SIEM System. Click here to access your free copy.
Solutions for a fast-paced and large enterprise may need tailored consultation and improvisation, beyond what can be conveyed in a white-paper. We invite you to get in touch with us to know how we can help maximize the benefits of your security efforts.