If you’re drowning in firewall logs, network switches, Wi-Fi routers and everything that goes with it, then your SIEM suite (System Information and Event Management) isn’t doing its job. The information that is reported should be getting refined into more manageable alerts; but, despite the increasing use of machine learning, security teams aren’t getting the most use out of their SIEMs.
Management is essential. If you set the SIEM deployment up, and don’t come back to it, you might as well not even deploy it in the first place. You have to set up your roles and policies across the log management and correlation layers. You also have to tune them, over time, so that they work well together to reduce false positives.
Be sure to assign the responsibility to those who need to review the SIEM reports, create a solution and put the policies in place that are needed.
When curating your system, you have to understand the size, frequency, and behavior of your log data. This involves knowing where it comes from and how it’s delivered. You should also identify your goals for implementing a SIEM system. Understanding what you want it to do for your organization will help you to define the policies and procedures you’ll need to adhere to.
This is also important as you will need to know how to retain your log data.
SIEMs need specialized attention which is why there should be a dedicated team to manage the content development, and to help with automating workflows, within your team. Instead of pulling a lot of reports all at once, start with tailored and specific reports that cater to your needs.
By collecting specific data, you can tweak and optimize it.
In this world of data collection, science and management, being able to trust the information that you’ve gathered and curated is paramount for understanding the needs of your specific market and scope.