Story image

How to optimise the performance of SIEMs

11 Mar 2019

With the following best practices, organisations can save up to 30% on their SIEM licensing costs per year, while significantly increasing the performance of their SIEM for faster detection, response and investigation of potential threats and security risks

Balancing efficiency and cost is key in every organisation. As basically every company has now become an IT company as well, IT departments are especially under tremendous pressure to “do more with less.” With more and more assets going digital, monitoring the health and safety of your information infrastructure and using the insights you gather in a meaningful way can overwhelm even well-prepared teams.

It’s no surprise that SIEMs (Security and Information Management Systems) often act as the nerve centre of enterprise security systems, and are a key part of a successful IT security strategy. But with everything going digital, the usage data that companies have to collect, store and digest is rapidly getting out of hand – so much so that organisations must either continually increase their SIEM budgets or else try to luck out high impact malicious activities. Also keep in mind that SIEMs are mainly good at creating analysis and reports and not for improving the baseline and foundation they build on: logs.

Optimising your SIEM (whether to save costs or improve your security operation’s efficiency) is most easily and effectively done by also optimising your log management. Implementing a few key best practices will help you achieve huge immediate and long-term improvements, which will be realised both in your SIEM operation and in other areas such as compliance audits and – more generally – in making your SOC (Security Operations Center) team’s life easier.

Top 8 best practices:

1. Avoid compatibility issues: your analytics can be only as good as the data you work from: Since most networks are very diverse, when choosing a log management tool, pick one that has a wide platform and log source support (including but not limited to syslog formats, simple text files, database files like SQL, Oracle, SNMP traps).

2. Extract the valuable information from logs and feed your SIEM a reduced amount of log data: Your “SIEM-feeding” tool should also be able to process and provide structured and unstructured data, and have transformation features like filtering, parsing, rewriting, classifying at disposal. With such a feature set, you only need to forward the most valuable information and thus significantly reduce (real-world use cases show up to 40% savings in 1 year) your event-based SIEM licensing cost, or provide an enriched and reformatted log stream for easier analysis.

3. Ensure regulatory compliance with your default log collection and storage: Transformation features like anonymisation and pseudonymization are important to comply with international data handling and privacy standards like PCI-DSS, HIPAA and the upcoming GDPR in the European Union.

4. Compress your log messages: It’s also worth noting that both internet and intranet network bandwidth can vary greatly, so your log management tool should be able to work even in very bandwidth-limited situations. Compressing log messages on the fly can radically reduce bandwidth consumption, and make your central log collection faster which also results in faster response to potential security or operational risks.

5. Be sure you’re losing no more than exactly zero log messages: What if you lose a single a log message? Probably nothing happens, unless it happened to be the only sign of an ongoing data breach. Message-loss prevention features like buffering, failover destination support, message rate control and application-level acknowledgement are very important. Be sure that nothing gets is as a result of a temporary failure of your logging infrastructure, or because it isn’t up to the task.

6. Rich functionality should be accompanied by highly scalable and reliable performance: Specialised tools with robust architectures can handle traffic ranging from just a few hundred logs per sec to up to hundreds of thousands of events. There are a lot of moving parts, dependencies and variables here, but generally speaking, unless you’re web-scale, you shouldn’t have volume-related problems, even with active indexing.

7. Integrate and feed your SIEM with Privileged Activity Monitoring data: Although most user activities leave traces behind in logs, there are several user actions (especially those executed by privileged users through the administrative protocols such as SSH or RDP) that cannot be seen in logs or SIEM analytics. By integrating a SIEM with a Privileged Activity Monitoring solution, organisations can analyse the riskiest user activities in real time to help prevent the most costly types of cyber-attacks and privilege account misuse.

8. Prioritise your SIEM alerts: Does your organisation receive too much log data or too many SIEM system false positive alerts for immediate investigation by a small, over-taxed security team? The fact is that an average security professional usually has just 7 minutes per SIEM alert to decide whether an APT attack is underway or a user just opened a phishing email. Based on how privileged the user in question happens to be and the difference in situational behaviour versus the original baseline activity, User Behavior Analytics solutions can pinpoint the riskiest security issues. And that’s exactly why your organisation first launched its SIEM solution: to dramatically reduce the time needed to detect, respond and investigate potential threats, and to return the enterprise to full security.

Click here to find out more.

Seven Aussie projects shortlisted in IDC's Smart Cities Awards
The nominated projects include three from Newcastle alone and span smart water metering, solar farms, virtualization and transport.
Y Soft and Brother partner to enhance print management
YSoft SafeQ integrated print management and document capture solution is now embedded in Brother multifunction devices.
F5 acquisition of NGINX now complete
The companies have released blogs on the topic, explaining how NGINX will now operate as a unit of F5, and the benefits they expect this merger to bring.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
Infoblox appoints channels head for A/NZ
Kenneth Cartwright’s appointment extends Infoblox’s position in secure cloud-managed network services throughout the region.
Adobe & Amazon: Making merchants' stores a lot more powerful
Magento Commerce branded stores for Amazon sellers features native integration with Amazon merchant tools including Amazon Pay and Fulfillment by Amazon. These provide the convenience of secure payments and speedy shipping services for buyers.
Edge computing market to provide ‘lucrative opportunities’
The market is set to skyrocket in the coming years, paving the way for emerging market players.
CIOs in A/NZ are slowly making digital business progress
“A/NZ CIOs have the chance to step up to become more influential business leaders, but most are not seizing that opportunity to drive change.”