Detection and SIEM methods: Are they all the same at every company? Five Basic best practices.

Written by: Wes DeVault, CISSP

Copyright all rights reserved 2019.

Detection and SIEM (security information and event management) methods: Are they all the same at every company? I am pretty confident that every business is different with regards to how they handle detection. For one thing it is extremely difficult to know what to watch until you have good baselines and a full IP inventory of what is on the network or even assets a company may have on the internet, these may include items that are connected to Cell Modems etc...

In this article I will outline five basic concepts and general good practices that I have observed at many companies. The information is provided as is and I place no guarantee or warranty on this information. Best practices are just the starting place for most companies and will never be inclusive of all security protections that a company might require or need.

First general best practice is have you secured your SIEM and the data it holds? Do you have good backups and how much data would you lose if you had to restore the data. I would highly recommend that your turn on MFA (Multi Factor Authentication) for all logins to your SIEM. If the bad actor can access this data or manipulate the data, you can end up with no clues or methods of detection. Also document and write down what your retention for backups and SIEM data will be and be prepared to justify the cost of the storage.

Second, test doing restores of the system on a regular basis. You would think it would be common sense, but to this day I am shocked at how many unforeseen problems occur because of lack of testing the backups and verifying the media it is stored on.

Third, turn on logging of changes to your SIEM system, if you have one that does not allow this type of logging, I highly recommend you change to a different product. A system that can not log its own changes is not much of a log tracking system, just think about that for a few minutes.

Fourth, setup alerts with thresholds that will not inundate your security or IT teams with to many false positives. I would recommend outlining what, how and when to prioritize most alerts and always have a rule that says if none of the written guidelines apply, ask the manager or CISO.

Fifth, I highly recommend that you prioritize what logs to ingest to the SIEM based on risks to the environment. It still surprises me that when I ask people what they see as their biggest risk and most respond with e-mail phishing attacks. And then I ask, are you collecting logs from your Spam or security system that will give you insight into who and how these attacks are taking place? SO many people tell me they did not consider those logs in their scheme for detection.

In conclusion, all companies will have different requirements and risks, however some basics and using a few best practices can really put you ahead when you are doing detection using a SIEM. Also if you are under attack; protecting your detection and forensic assets and data sources is extremely important! Second you should have a seasoned well trained and capable security professional to help get the basics covered, but also to insure the detection tasks are prioritized.