SIEM – Don’t Set It and Forget It
Don’t Set It and Forget It!
You invested in a SIEM. Not just any SIEM, but the AlienVault® Unified Security Management® (USM). You chose AlienVault for it’s multiple security capabilities like threat detection, incident response, and compliance management across all your environments.
The professional services team completed the initial configuration, tested and deployed your SIEM. You are on your own now.
Or are you?
You can manage your SIEM on your own, but is this the most logical choice? Does your team have the dedicated time and expertise required to manage and optimize the platform? Besides the daily management, will you optimize the entire AlienVault USM to maximize your investment?
SIEM is not a Set It and Forget It Platform.
You may be getting reports and alerts and of course you check on them when you are notified. But there is more to SIEM management and optimization. Being reactive is a good first step, but to optimize your SIEM’s effectiveness, it must be monitored and continually tuned. Triggered events or alarms require prompt and thorough investigation for validity. This takes dedicated cybersecurity knowledge and expertise to properly perform. Your SIEM’s performance and accuracy improves through dedicated daily monitoring with an experienced network security engineer or IT administrator.
Properly managing a SIEM is a part-time job.
The more complex your environment, the more challenging continuous monitoring of your SIEM becomes. Networks are dynamic, new apps are being added every day by marketing and research departments, sales and executive teams are bringing their own devices (BYOD), and on top of that, there are new compliance requirements being mandated on a continuous basis.
Alert Fatigue is Real
Many organizations purchase a SIEM and use in-house IT administrators, analysts, or other IT staff that may not be prepared to handle all the data that comes along with a SIEM. Based on a recent study by Fidelis Cybersecurity on the State of the SOC (Security Operations Center), security professionals are overwhelmed by the sheer volume of alerts and investigations that require their attention.
Alert fatigue syndrome is a real issue, and it has resulted in security analysts not responding to the security alerts because they are flooded with so many.
Managing Your SIEM
Picking the right technology is an important first step in defending your organization's data. Equally important is having trained and experienced security engineers and analysts managing and optimizing the tools.
Organizations have a few choices: they can rely on internal staff to manage the SIEM, they can partner with a Managed Services Security Provider (MSSP) to manage all of their security needs, or they can meet in the middle. This is called co-managed security services.
Here are pros and cons of these three SIEM management options:
Internal staff: The big benefit is pre-established trust and institutional knowledge. Internal IT staff knows the ins and outs of the organization’s network. Problems can arise when they wear too many hats, and while they are tasked with monitoring security alerts, they are often stretched thin with workload and can only provide a small amount of time to tuning and monitoring the SIEM. On top of the expertise required to analyze SIEM alerts, there is a learning curve. If an internal employee is trained to manage the SIEM and they end up leaving, it’s back to square one.
Fully Managed SIEM with an MSSP: After a brief onboarding period of working closely with your internal IT staff, the MSSP will handle all aspects of your SIEM. The big benefit is a team of security experts, dedicated only to taking care of your security needs. MSSPs don’t get sidetracked with non-security related tasks and their staff are trained and paid to handle all of the legwork required to investigate alerts and manage security tools including a SIEM. Their only role is to maintain, monitor, respond and report, ensuring your company stays compliant and secure.
However, if you have already invested in a SIEM system, like AlienVault’s USM, and your staff already has a clear handle on certain aspects of the system, a co-managed solution may be a better option.
Co-Managed SIEM with an MSSP: This more customizable choice is simply a service tailored to fill gaps that will enhance and supplement an organization's internal IT team when it comes to SIEM management. With a USM platform like AlienVault, organizations have already invested thousands of dollars and need to ensure they are getting their return on investment (ROI).
Co-managed SIEM allows for a logical division of labor. Often, internal staff is responsible for activities that require organization-specific knowledge such as interfacing with business unit staff, defining the monitoring goals, and running internal projects. The co-managed provider may handle all monitoring, reporting, tuning and daily operations, including incident investigation and response.
Maximize your AlienVault SIEM Investment
Once deployed, SIEM platforms need to be constantly monitored and fine-tuned for your existing environment. Triggered events or alarms need to be investigated regularly for security and system tuning. Sedara, an AlienVault professional services partner, can help bridge the gap by providing a co-managed or fully managed solution. The Sedara team of trained, certified engineers and analysts will take the heavy lift of SIEM management off of your team’s shoulders. Sedara can manage the day-to-day, which allows your IT team to focus on your business needs.
Ready to unlock your AlienVault’s SIEM’s potential?
Contact Sedara Security, an authorized AlienVault Professional Services partner.