Inhalt
What is SIEM?
Security Information and Event Management (SIEM) is a solution approach for the detection of IT security incidents. SIEM makes it possible to collect event log data from various sources in a central location and to automatically detect and report anomalies and rule violations in this data on the basis of previously defined use cases.
The SIEM combines components of Security Information Management (SIM) and Security Event Management (SEM). The latter includes the collection, normalisation, aggregation and correlation of events as well as immediate notification when potential security incidents are detected. Through the SIM component, evaluations can be carried out in real time by means of visualisations or downstream with the help of reports on the collected data. These evaluations can provide valuable information, for example, about company-wide configuration changes, access to sensitive data, use of privileged accounts or an overview of the current threat situation of the company.
A SIEM solution collects company-wide log data, usually with the help of software agents. The underlying sources are, for example, servers, endpoints, routers, firewalls, intrusion detection and prevention systems (IDS and IPS) as well as applications. In a central management station, the collected data is brought together and processed as well as correlated and correlated with each other. The correlated data is visualised on individually configurable dashboards. IT security incidents can thus be identified at an early stage by cyber defense analysts – in areas that conventional IT security solutions cannot take into account at all.
Why is a SIEM important?
The current threat situation in the area of cybercrime is more than tense. Not only did the sheer number of attempted and successfully executed cyberattacks reach a new high last year*, the professionalism of cyberattacks has also increased drastically in recent years. Whether it’s ransomware, phishing, drive-by downloads or social engineering, hackers are leaving no stone unturned to compromise networks, gain access to corporate data and extort ransoms. With the plethora of daily threats, a company’s cyber security teams need to be able to respond quickly and efficiently to existing threat situations. This is where SIEM comes in. SIEM systems deliver crucial added value for a company’s information security, as they are able to comprehensively collect security-relevant data, consolidate it in a centralised repository and automatically detect anomalies and rule violations based on previously defined use cases. This offers IT security teams a decisive advantage – because the time needed to identify an acute threat (mean time to detect) can be significantly reduced by a SIEM. Especially in the case of critical attacks on the IT infrastructure, this represents a decisive time advantage.
A SIEM thus makes the work of IT security specialists more effective and decisively increases the IT security level of companies – if a few relevant aspects are taken into account before the SIEM implementation.
*Source: Bundesamt für Sicherheit in der Informationstechnik: Die Lage der IT-Sicherheit in Deutschland 2021
SIEM implementation: Which aspects should you not disregard?
Even if it reads differently at first glance: SIEM is much more than a product. The introduction of a SIEM system must be very well planned in order to avoid disappointed expectations and later cost explosions. First of all, it is elementary to define the specific company requirements and the associated expectations of a SIEM system. Based on these requirements, it makes sense to create a SIEM concept, which forms the basis for the introduction and operation of a SIEM.
Our cyber defence consultants have compiled the 5 most important aspects below that you should not disregard before deciding to implement a SIEM.
Point 1: The aspect of integrability
SIEM solutions often come with interfaces for common systems from the manufacturer – but these do not necessarily fit the systems used in the company. If there are no suitable interfaces, the implementation time for the SIEM solution increases significantly, as connectors for these systems have to be developed manually. This costs companies valuable time and leads to additional investment costs. In order for a SIEM system to offer relevant added value in the fight against cyber threats, the solution must therefore be aligned and tailored as well as possible to the existing IT infrastructure within the company.
Important: Before introduction, it must be defined which log data a SIEM solution must process within the customer environment.
Point 2: The cost aspect
The payment models for SIEM solutions differ, sometimes significantly, depending on the manufacturer. Some providers use the incoming data volume as the basis for billing, while others charge according to the incoming number of events or calculate the costs on the basis of the stored data. Furthermore, there are also providers who use the number of connected systems or the number of required SIEM components as a basis for pricing. For the operators of the SIEM solution, this means that the details in the billing structure can make considerable differences in terms of costs. This is particularly evident in relation to company size. Many system manufacturers offer attractive discounts for extensive implementations of their SIEM product. However, this can be a cost trap – especially for small and medium-sized enterprises (SMEs).
A small example: an SME has to process 10 gigabytes of data volume in its SIEM system every day and pay for this data volume in full. Large companies and corporations, on the other hand, benefit from scalability – if 250 gigabytes of data volume are applied here, for example, the final price is proportionally lower because the system provider grants significant discounts here. SMEs should also take a close look at the cost structure of the SIEM solution offered in relation to their turnover and profit figures. Unimagined follow-up costs can often be hidden here.
Important: Before deciding on a SIEM solution, it is important to check in detail which basis is used for billing and which costs are incurred for which services.
Point 3: The aspect of the scope of functions
A lot helps a lot – this certainly also applies to cyber security and thus SIEM systems – right? Many SIEM systems are designed for use in large corporations and offer a wealth of functions that are also only relevant for large companies. A well-known example is very granular rights management. This is absolutely indispensable for corporations – for SMEs, on the other hand, it is often oversized and unnecessarily complex. A SIEM system within a corporate structure often needs a client split because of data protection – both for the corporate parent and the IT systems of the sub-companies. An SME with 50 employees does not need client sharing – but may still have to pay for it.
Many companies only use the absolute basic functions of their SIEM solution in the first few years after successful implementation. If this solution, reduced in scope, is optimised precisely to the company’s requirements and goals, this is an economical and secure approach. However, companies often opt for a SIEM solution that is far too comprehensive in terms of functionality for their own company size. In the absence of experience, the IT specialists responsible for introducing the SIEM often decide according to the familiarity of a product and trust that the product will do all the work for them. However, no product can do that – not even the one with the most comprehensive range of services.
Important: Before deciding on a SIEM solution, it is essential to define which functions are really needed in the company. The development of an initial SIEM concept makes sense here.
Use cases, as the logical element for detecting attacks or their detection rules as the technical implementation of the logic, are the heart of a SIEM system.
Point 4: The aspect of use cases and their detection rules
Use cases, as a logical element for the detection of attacks and their detection rules as the technical implementation of the logic, are the core of a SIEM system. For almost all providers of SIEM solutions, supplied use cases as practical “out-of-the-box” solutions are the selling point. However, for several reasons, the prefabricated rules usually bring only little added value.
One reason is that these detection rules are usually very generic and thus hardly fit the respective IT landscape or the threat situation. In most cases, the use cases lack both information on which logs/events are required by the IT system and instructions for action for the cyber defense analysts. Furthermore, a large number of rules are provided, which either massively overwhelm the SIEM analysts if they are all activated or have to be selected sensibly in advance. Among other things, it is important both for this selection process and for the subsequent processing of the alarms from the use cases that these have a direct reference to known IT security frameworks such as MITRE ATT&CK. With this and the corresponding expert knowledge, the most essential goal of the use case selection – to obtain the maximum coverage of known attack vectors with the smallest possible number of high-quality use cases – can be achieved.
Our SIEM consultants therefore recommend the use of use cases whose logic has been developed from the IT security frameworks, whose documentation and recommendations for action are comprehensive and whose detection rules are specifically adapted to the IT landscape and its IT system. When selecting these, we pay attention to a broad spread of detection mechanisms in order to recognise attack behaviour at an early stage. The following principle applies: It is better to implement a few high-quality use cases than many rules that are prone to errors and work. This is the key to an effective and also economical SIEM operation.
Important: Rules initially supplied with the SIEM solution are often “hokey”. The out-of-the-box rules have to be adapted to the customer’s environment at great expense and therefore usually do not offer any financial added value.
Point 5: The aspect of competence
For a SIEM to be used effectively, the users of the system – usually SOC analysts – must understand attack scenarios and alerts and, of course, know how exactly to react. The SIEM solutions do the repetitive work, but the analysts have to put the resulting alerts into context and see the “big picture”.
Important: Does the company have this aspect? If not, the company should get expert support at this point. Our experienced cyber defense analysts can reliably recognise attack patterns and complex interrelationships.
Success with SIEM Consulting
As the explanations show, implementing a SIEM system is not just a matter of installing software and connecting a few log sources. SIEM is an extremely powerful tool in the fight against cyber threats – but every SIEM system is only efficient and effective if it is optimally adapted to the existing IT infrastructure of the company. By opting for SIEM consulting before or during the project, you not only save time and money, but also avoid problems and stumbling blocks that often arise for companies without SIEM experience on the way to a successful SIEM operation.
Conclusion
Cybercriminals do not sleep. On the contrary – last year there were more attacks on companies, NGOs and even governments worldwide than ever before. It is not only the sheer mass of cyber attacks that challenges us all, but also the increasing professionalism with which the attacks are carried out. On the one hand, a Security Information and Event Management relieves the cyber defense from repetitive routine tasks, on the other hand, a SIEM system significantly accelerates the detection of attacks. Customised detection mechanisms in SIEM solutions can significantly strengthen a company’s cyber resilience – but only if the product can be easily adapted to individual needs.
The out-of-the-box solutions touted by many manufacturers promise great performance at a low price, but are usually the more expensive alternative in retrospect. In order to avoid wrong economic decisions and at the same time optimise the functionality of the SIEM system, it makes sense to get support from experts in the early stages of the decision-making process. Feel free to contact us! Our cyber defense consultants will advise you individually and without obligation.