The Case for Managed SIEM

One of the firstmajor projects that I was assigned to was a managed SIEM; we were in theprocess of onboarding a new customer who had just left another managed serviceprovider. The customer was unhappy with their past service provider, All theydid was spit out metrics, the Director of InfoSec confided. In fact, for thiscompany we were the third managed SIEM provider that they had been with.

Whatis SIEM?

What is SIEM andwhy do customers choose to subscribe to it? Security Incident and EventMonitoring (SIEM) has become a staple product in the enterprise world forprotecting businesses. SIEM takes all of the logs that your network switches,servers, routers, firewalls and other systems generate and consolidates them intoa single pane of glass view. From the SIEM, a skilled security analyst canslice and dice that data in hundreds, if not thousands, of different ways tofind indicators of compromise on your network.

What are indicators of compromise?

To defend againstdata breaches on your network, an IT security analyst looks for indicators ofcompromise: security events that when stacked, demonstrate with a high degreeof confidence that your network has been compromised. Perhaps it starts oneweekend with failed login' attempts to your VPN, then an escalation inprivileged rights on your network. Within the hour, a large volume of yourcompany's sensitive data is transferred offsite to a server on the other sideof the world a known hot spot for cyberespionage. Each of these securityevents trigger an alert and each one would have a trained security analystdetermining if these were normal or part of a larger attack.

Rollingout your own SIEM versus a managed service provider

Over a coffee, Ihad a friend once tell me he was thinking of investing in a SIEM for hismid-size company. He asked me what the cost was to get the infrastructureand run it in-house. I answered that acquiring the infrastructure is easy,it's the setup and monitoring that is challenging for small- and medium-sizedcompanies.

The business casefor running SIEM yourself isn't complex: you need at least one highly skilledIT security analyst to monitor and investigate the indicators of compromise.But you can't just have one person monitor the SIEM, or they'll get boggeddown, and eventually they'll want to go on vacation. Hackers don't strikeduring business hours only, you must monitor your systems 24/7 and 365 days ofthe year. If these security events go unnoticed, a skillful hacker will takeadditional measures to cover their tracks (such as deleting logs or switchinguser accounts).

Each SIEM is a custom deployment

You can't justthrow in a SIEM and expect it to protect your network; it needs to becustomized and tuned to report properly on your specific network. While SIEMscome with hundreds of great reporting features at installation, each customernetwork is different. Each SIEM device needs to go through a monitor' stage toidentify and baseline normal traffic on your network. Often there are events,applications or misconfigured devices that can generate false positives' thatlook like an indicator of compromise, but in fact it is valid data and needs tobe fixed, or tuned out' and ignored. This customizing and tuning of your SIEMtakes about 45 days, as it needs to run through a full month-end cycle oftransactions within your company.

Benefitsof a service provider team and community

Having a skilledteam of security analysts behind your SIEM means a faster triage and rapid responseto contain a security incident. I have seen firsthand the fast response ofa team, coordinating with a customer, as a large database started transferringoffsite to a cloud provider. It turns out this single incident was anapplication developer conducting legitimate business; but it brought aboutother IT governance issues such as where data should be stored, how itshould be sanitized' for offsite use, and what security controls need to be inplace to safe guard the corporate data hosted in the cloud.

Using a managedSIEM allows for other interesting benefits. Patterns that are unique to malwarecan be easily seen across multiple customers. Our advanced Security OperationsCentre (SOC) has been capturing and contributing specific traffic patterns tovendors and the InfoSec community to help improve detection of newstrains/variations of malware such as crypto-locker ransomware. We've alsospotted compromised websites, even in Ontario, that redirect customers withinseconds to Russia, Romania and China hidden in the background of a web page.These redirections try to run malicious software against your computer, tabletor phone in the hopes of comprising your device if it isn't up to date.

Respondquickly, respond effectively

Protecting yourcompany from being compromised is challenging in this day and age. Not only doyou need layers of defence, you also need to respond quickly and accurately toevents that could take down your network. A managed SIEM is now a must-havetool within your security tool belt; it's the fastest way to identify anddetermine if you have been breached.

Anybody can spitout raw data and metrics, but I believe that CDW's workshops and networkbusiness insight' reports give you, the customer, actionable items to improveyour security posture. Each month our SOC team sits down with customers todiscuss events, identify tuning improvements and recommend actions that willharden your network against trending attacks.