Story image

How to optimise the performance of SIEMs

11 Mar 2019
Sponsored

With the following best practices, organisations can save up to 30% on their SIEM licensing costs per year, while significantly increasing the performance of their SIEM for faster detection, response and investigation of potential threats and security risks

Balancing efficiency and cost is key in every organisation. As basically every company has now become an IT company as well, IT departments are especially under tremendous pressure to “do more with less.” With more and more assets going digital, monitoring the health and safety of your information infrastructure and using the insights you gather in a meaningful way can overwhelm even well-prepared teams.

It’s no surprise that SIEMs (Security and Information Management Systems) often act as the nerve centre of enterprise security systems, and are a key part of a successful IT security strategy. But with everything going digital, the usage data that companies have to collect, store and digest is rapidly getting out of hand – so much so that organisations must either continually increase their SIEM budgets or else try to luck out high impact malicious activities. Also keep in mind that SIEMs are mainly good at creating analysis and reports and not for improving the baseline and foundation they build on: logs.

Optimising your SIEM (whether to save costs or improve your security operation’s efficiency) is most easily and effectively done by also optimising your log management. Implementing a few key best practices will help you achieve huge immediate and long-term improvements, which will be realised both in your SIEM operation and in other areas such as compliance audits and – more generally – in making your SOC (Security Operations Center) team’s life easier.

Top 8 best practices:

1. Avoid compatibility issues: your analytics can be only as good as the data you work from: Since most networks are very diverse, when choosing a log management tool, pick one that has a wide platform and log source support (including but not limited to syslog formats, simple text files, database files like SQL, Oracle, SNMP traps).

2. Extract the valuable information from logs and feed your SIEM a reduced amount of log data: Your “SIEM-feeding” tool should also be able to process and provide structured and unstructured data, and have transformation features like filtering, parsing, rewriting, classifying at disposal. With such a feature set, you only need to forward the most valuable information and thus significantly reduce (real-world use cases show up to 40% savings in 1 year) your event-based SIEM licensing cost, or provide an enriched and reformatted log stream for easier analysis.

3. Ensure regulatory compliance with your default log collection and storage: Transformation features like anonymisation and pseudonymization are important to comply with international data handling and privacy standards like PCI-DSS, HIPAA and the upcoming GDPR in the European Union.

4. Compress your log messages: It’s also worth noting that both internet and intranet network bandwidth can vary greatly, so your log management tool should be able to work even in very bandwidth-limited situations. Compressing log messages on the fly can radically reduce bandwidth consumption, and make your central log collection faster which also results in faster response to potential security or operational risks.

5. Be sure you’re losing no more than exactly zero log messages: What if you lose a single a log message? Probably nothing happens, unless it happened to be the only sign of an ongoing data breach. Message-loss prevention features like buffering, failover destination support, message rate control and application-level acknowledgement are very important. Be sure that nothing gets is as a result of a temporary failure of your logging infrastructure, or because it isn’t up to the task.

6. Rich functionality should be accompanied by highly scalable and reliable performance: Specialised tools with robust architectures can handle traffic ranging from just a few hundred logs per sec to up to hundreds of thousands of events. There are a lot of moving parts, dependencies and variables here, but generally speaking, unless you’re web-scale, you shouldn’t have volume-related problems, even with active indexing.

7. Integrate and feed your SIEM with Privileged Activity Monitoring data: Although most user activities leave traces behind in logs, there are several user actions (especially those executed by privileged users through the administrative protocols such as SSH or RDP) that cannot be seen in logs or SIEM analytics. By integrating a SIEM with a Privileged Activity Monitoring solution, organisations can analyse the riskiest user activities in real time to help prevent the most costly types of cyber-attacks and privilege account misuse.

8. Prioritise your SIEM alerts: Does your organisation receive too much log data or too many SIEM system false positive alerts for immediate investigation by a small, over-taxed security team? The fact is that an average security professional usually has just 7 minutes per SIEM alert to decide whether an APT attack is underway or a user just opened a phishing email. Based on how privileged the user in question happens to be and the difference in situational behaviour versus the original baseline activity, User Behavior Analytics solutions can pinpoint the riskiest security issues. And that’s exactly why your organisation first launched its SIEM solution: to dramatically reduce the time needed to detect, respond and investigate potential threats, and to return the enterprise to full security.

Click here to find out more.

Dropbox invests in hosting data inside Australia
Global collaboration platform Dropbox has announced it will now host Australian customer files onshore to support its growing base in the country.
Opinion: Meeting the edge computing challenge
Scale Computing's Alan Conboy discusses the importance of edge computing and the imminent challenges that lie ahead.
Alibaba Cloud discusses past and unveils ‘strategic upgrade’
Alibaba Group's Jeff Zhang spoke about the company’s aim to develop into a more technologically inclusive platform.
Protecting data centres from fire – your options
Chubb's Pierre Thorne discusses the countless potential implications of a data centre outage, and how to avoid them.
Opinion: How SD-WAN changes the game for 5G networks
5G/SD-WAN mobile edge computing and network slicing will enable and drive innovative NFV services, according to Kelly Ahuja, CEO, Versa Networks
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."