Best practices for optimising SIEM environments

SIEMs (security and information management systems) often act as the nerve centre of enterprise security systems and are a key component of a successful IT security strategy.

The problem is, as more and more assets go digital, the usage data that companies must collect, store and digest is becoming unmanageable, and consequently many organisations are having to increase their SIEM budgets.

In this era IT departments are under enormous pressure to do ‘more with less’ and even the most well prepared IT teams are becoming overwhelmed when monitoring the health and safety of information infrastructure.

However, there are ways in which organisations can optimise SIEM performance and save up to 40% on licensing costs per year, whilst increasing detection, response and investigation activities relating to potential threats and security risks.

>See also: Why big data and SIEM don’t always equal big answers for security

The easiest way to improve SIEM performance, both in the mid and long term, is by optimising log management.

You can make your security team’s life much easier by employing eight key practices:

Guarantee regulatory compliance

With the upcoming introduction of the GDPR, together with existing standards such as PCI DSS and HIPAA, it is important that anonymisation services and pseudonym generation are compliant with these regulations.

Choose your log management tool wisely: Given the diversity of networks in the workplace, choosing a log management tool with a wide platform and log source support – such as syslog formats, simple text files and database files like SQL to name a few – is advisable.

Compress your log messages: Network bandwidth can vary greatly, so choosing a system that can operate in low-bandwidth situations is highly recommended.

Compressing log messages reduces bandwidth consumption, resulting in a more stable operation and less storage need, ultimately reducing the cost of log management.

Feed your SIEM a reduced amount of log data

You need a ‘SIEM-feeding’ tool that can process and provide structured and unstructured data, as well as have transformation features like filtering, parsing, rewriting, classifying and enriching at disposal.

A feature set such as this means you only have to forward the most valuable information and your event-based SIEM licensing cost will be significantly reduced.

>See also: Bring the noise: How AI can improve cyber security

Integrate and feed your SIEM with privileged activity monitoring data: Most user activities leave traces behind in logs. However there are several actions, most commonly those carried out by privileged users through administrative protocols like SSH or RDP, that are not visible in logs or SIEM analytics.

Integrating a SIEM with a privileged activity monitoring solution will allow organisations to analyse the riskiest user activities in real time to help prevent cyber-attacks and privileged account misuse.

Prioritise SIEM alerts

On average, a security professional has just 7 minutes per SIEM alert to decide whether an APT attack is occurring, or if a user has opened a phishing email.

User behaviour analytics can pinpoint the riskiest security issues by comparing any suspicious activity to the baseline activity of the user in question.

Functionality must be accompanied by highly scalable and reliable performance: Specific tools with strong architectures can handle traffic ranging from a few hundred logs per second to up to hundreds of thousands of events.

Despite the number of moving parts, dependencies and variables here, you should not have any volume-related problems, even with active indexing.

Do not lose more than exactly zero log messages

It is unlikely that losing a single log message will cause a problem, unless it happened to be the only clue to an ongoing data breach.

However, features like buffering, failover destination support, message rate control and application-level acknowledgement are vital for message-loss prevention.

>See also: Privileged identity management needs to take the driving seat

Employing these key practices will optimise log management, meaning the data you collect, store and digest will become manageable, resulting in the optimisation of your SIEM performance.

As a consequence, you will have a satisfied security team and your organisation could start saving up to 40% on licensing costs per year. Potential threats and security risks will also decrease.

Sourced by Hunor Voith, product marketing manager, syslog-ng, Balabit

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics