Just like any security product, a Security Information and Event Management (SIEM) implementation needs some attention every now and then. We all know that a Security Operations Center (SOC) is a crucial function of any organization, therefore a healthy SIEM is a third of the way to a healthy SOC, right?
Think of a health check of the SIEM like a car MOT. It’s one of those tasks which happens the same time of year, every year. If everything is hunky dory, you pass and don’t visit the garage for another 12 months. A SIEM health check is exactly the same. If everything gets a tick in the box, we’ll see you next year. If it doesn’t, it’s not necessarily “off the road” but there are advisories which need attending to.
It’s very surprising to visit so many customers across the globe who think they have a fit and healthy SIEM however once I get under the hood there are, more often than not, best practice fundamentals disobeyed. While this is usually unintentional due to a lack of expertise and experience, these hinder the way the SIEM performs.
I don’t think you could ever say a SIEM is complete and solves the business problem it was initially invested for – improvements that can always be made. This might be on-boarding that additional complex data source, implementing that use case you’ve never been able to quite get firing as designed or redesigning the retention policy of the data to meet the new compliance regulations.
The SIEM is paramount to any SOC and, let’s be honest, a SIEM isn’t pocket change. It needs to be reliant, performant, data rich, resilient, accurate and flexible. With all this to consider, and keeping the SIEM up for the SOC, it’s easy to swerve the best practices to meet the demands of the users. An annual health check allows the consolidation and realignment to ensure everything is in tip top shape for the analysts protecting your organization.
Under performant SIEM > Slower MTTD / MTTR for security incidents = Impact on Revenue
Let’s not neglect the SIEM. It’s something I think is often happening at present within the industry. Organizations are always moving towards the latest, greatest and shiniest features but rarely do we sit back to reflect on the present. Nine times out of ten customers we visit have issues with the basics as there is very little time to sit and analyze an environment which was deployed 24 months ago.
Fresh eyes are always recommended. If you’ve a part-time cross-skilled admin or a fully dedicated team with a change control service wrap around the environment, they will see different things to an experienced professional services consultant looking at several environments each week. A new set of eyes on the SIEM also gives the validation and verification that everything is healthy (or not in some instances).
As if by magic, your trusted partner NTT Security, has developed an in-house maturity model to help you wherever your organization may be on the SIEM journey.