Story image

How to optimise the performance of SIEMs

11 Mar 2019

With the following best practices, organisations can save up to 30% on their SIEM licensing costs per year, while significantly increasing the performance of their SIEM for faster detection, response and investigation of potential threats and security risks

Balancing efficiency and cost is key in every organisation. As basically every company has now become an IT company as well, IT departments are especially under tremendous pressure to “do more with less.” With more and more assets going digital, monitoring the health and safety of your information infrastructure and using the insights you gather in a meaningful way can overwhelm even well-prepared teams.

It’s no surprise that SIEMs (Security and Information Management Systems) often act as the nerve centre of enterprise security systems, and are a key part of a successful IT security strategy. But with everything going digital, the usage data that companies have to collect, store and digest is rapidly getting out of hand – so much so that organisations must either continually increase their SIEM budgets or else try to luck out high impact malicious activities. Also keep in mind that SIEMs are mainly good at creating analysis and reports and not for improving the baseline and foundation they build on: logs.

Optimising your SIEM (whether to save costs or improve your security operation’s efficiency) is most easily and effectively done by also optimising your log management. Implementing a few key best practices will help you achieve huge immediate and long-term improvements, which will be realised both in your SIEM operation and in other areas such as compliance audits and – more generally – in making your SOC (Security Operations Center) team’s life easier.

Top 8 best practices:

1. Avoid compatibility issues: your analytics can be only as good as the data you work from: Since most networks are very diverse, when choosing a log management tool, pick one that has a wide platform and log source support (including but not limited to syslog formats, simple text files, database files like SQL, Oracle, SNMP traps).

2. Extract the valuable information from logs and feed your SIEM a reduced amount of log data: Your “SIEM-feeding” tool should also be able to process and provide structured and unstructured data, and have transformation features like filtering, parsing, rewriting, classifying at disposal. With such a feature set, you only need to forward the most valuable information and thus significantly reduce (real-world use cases show up to 40% savings in 1 year) your event-based SIEM licensing cost, or provide an enriched and reformatted log stream for easier analysis.

3. Ensure regulatory compliance with your default log collection and storage: Transformation features like anonymisation and pseudonymization are important to comply with international data handling and privacy standards like PCI-DSS, HIPAA and the upcoming GDPR in the European Union.

4. Compress your log messages: It’s also worth noting that both internet and intranet network bandwidth can vary greatly, so your log management tool should be able to work even in very bandwidth-limited situations. Compressing log messages on the fly can radically reduce bandwidth consumption, and make your central log collection faster which also results in faster response to potential security or operational risks.

5. Be sure you’re losing no more than exactly zero log messages: What if you lose a single a log message? Probably nothing happens, unless it happened to be the only sign of an ongoing data breach. Message-loss prevention features like buffering, failover destination support, message rate control and application-level acknowledgement are very important. Be sure that nothing gets is as a result of a temporary failure of your logging infrastructure, or because it isn’t up to the task.

6. Rich functionality should be accompanied by highly scalable and reliable performance: Specialised tools with robust architectures can handle traffic ranging from just a few hundred logs per sec to up to hundreds of thousands of events. There are a lot of moving parts, dependencies and variables here, but generally speaking, unless you’re web-scale, you shouldn’t have volume-related problems, even with active indexing.

7. Integrate and feed your SIEM with Privileged Activity Monitoring data: Although most user activities leave traces behind in logs, there are several user actions (especially those executed by privileged users through the administrative protocols such as SSH or RDP) that cannot be seen in logs or SIEM analytics. By integrating a SIEM with a Privileged Activity Monitoring solution, organisations can analyse the riskiest user activities in real time to help prevent the most costly types of cyber-attacks and privilege account misuse.

8. Prioritise your SIEM alerts: Does your organisation receive too much log data or too many SIEM system false positive alerts for immediate investigation by a small, over-taxed security team? The fact is that an average security professional usually has just 7 minutes per SIEM alert to decide whether an APT attack is underway or a user just opened a phishing email. Based on how privileged the user in question happens to be and the difference in situational behaviour versus the original baseline activity, User Behavior Analytics solutions can pinpoint the riskiest security issues. And that’s exactly why your organisation first launched its SIEM solution: to dramatically reduce the time needed to detect, respond and investigate potential threats, and to return the enterprise to full security.

Click here to find out more.

Bitglass appoints new cloud, business development leaders
The cloud security company has appointed vice presidents for worldwide channels and worldwide business development.
Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Cloud innovation driving NZ IT services market, says IDC
Managed services makes up the largest portion of total IT services revenue. However, the project-oriented market achieved the highest YoY growth.
Ingram launches CRM backup on cloud marketplace
AvePoint Cloud Backup for Dynamics 365 is a multi-tenant solution, designed with specific features to enable channel partners and MSPs.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.