By Nicolai Zerlang, Marketing Manager, LogPoint
This post is intended to describe initiatives and processes designed to increase the organizational benefit for SIEM solutions before, during and after the implementation. For a successful implementation, it is crucial to recognize that SIEM solutions add most value, if it enhances interaction between people, technology and processes.
1. Understanding the need
First of all, it is important to ensure that stakeholders are engaged, and that everyone is aligned in regards to goals and expectations for the overall final solution. Once the overall architecture has been agreed upon, an iterative process should continuously define the scope, including creation of specific and detailed use cases. Remember to involve all relevant stakeholders such as the management, system owners and security analysts in these activities. The implementation of a SIEM solution will enable new business processes and will definitely change former processes within the organization, e.g. within compliance reporting. Consequently, the enterprise should have a plan ready for how to integrate new workflows and information not previously accessible.
2. Secure sufficient resource allocation
To gain maximum value from the SIEM solution, appropriately skilled resources should be allocated to support the implementation and operation. Events and alerts from the SIEM solution should be triaged and mapped to the ISMS and enterprise risk management systems. This allows for a subsequent assessment and investigation by a security analyst. Thus it is also suggested that you spend resources on educating your personnel within the deployed solution. Education is often provided by the chosen vendor or through a certified partner.
3. All key systems should be supported by the SIEM solution
To avoid information gaps and missing data, it is crucial that all key systems are integrated with the SIEM solution. Involving system owners and other stakeholders from the beginning of the implementation increase organizational support. When initially determining requirements for the SIEM Solution, management should listen to the current and future stakeholders of the implementation, and make sure their needs are facilitated in the final solution. Additionally, many companies will also be able to find requirements within their current ISMS and enterprise risk management systems, which initially can facilitate creation of valuable use cases.
4. Handling of events and alerts
Establish an integrated incident response program connecting the SIEM solution to the rest of the organization. If not already established, it is recommended that there is a process for handling alerts and events generated from the SIEM solution. Ignoring alerts or events could result in e.g. undetected security events or loss of sensitive data.
5. Cross-organizational utilization of the solution
SIEM events can lead to investigation across systems within the organization. The security analyst will often lack deep knowledge within all system domains, and thus will need resources from different departments to explain and engage in the further investigation. This also mean that management has to make sure that IT security (SIEM solution owners), has the appropriate authority to influence the IT infrastructure in the future. An example of this could be that the SIEM solution has to accommodate any new application accepted into the IT infrastructure. This requires a new approach to IT governance and security analytics, which should become a part of every decision about the IT infrastructure.
6. Continuous tuning of reports, alerts and dashboards
For ensuring relevancy, effectiveness and accuracy of the SIEM deliverables, the system should be integrated with the company’s change management processes. Changes in the IT infrastructure can have significant impact on the SIEM functionality, and use cases should be continuously refined in order to stay relevant. Failure in continuous tuning of the SIEM solution could lead to false positives, missed events, missing crucial systems from the IT infrastructure, generally reduce organizational support for SIEM and result in a loss of asset value to the company.
Final recommendations
These governance considerations are a good beginning to absorbing your SIEM solution into the rest of the organization, and vice versa. Not two enterprises are alike, and thus the solution should adapt to your current (and future) organizational workflow, governance and infrastructure. This will ensure relevancy, engagement and ultimately increase the organizational support for the SIEM solution.