SIEM

SIEM Data Onboarding - Overview of a successful SIEM

The Security Information and Event Management platform (SIEM) is crucial to any business who wants to be serious about their cyber security posture. There are many SIEM platforms out there, such as Elastic SIEM, Splunk, and so on. The SIEM is able to ingest logs and provide real-time analysis of alerts generated from network and applications.

A downfall of any SIEM is that it is dependent on what logs are onboarded. What good will a SIEM be without the logs from all network, applications, and endpoints?… Not useful at all.

Here are a few best practices to help you think about how and what to collect.

1. Sources…Know thy enemy. Collect logs in your environment which will be used by detection searches in your SIEM. This allows your team to be as efficient as possible when it comes to onboarding exactly what you need and brings us to the next point. We recommend using MITRE and Threat Intel assessments to find out who your threats are and analyse what TTPs pose a major risk to your business.

2. Don’t onboard everything! Collecting ‘everything’ from the environment is a terrible idea. It can lead to noise fatigue for the analysts whose jobs it is to review the security alerts. Noise also makes it harder to find the needle in the haystack.

3. Methods. When collecting logs companies such as Elastic have made this effort much easier than even 5 years ago. To collect logs from endpoints many SIEMs rely on endpoint agents such as the Elastic Agent. To collect application logs Splunk has the HEC method to allow for a smooth collection. Logs generated by the cloud such as AWS can be collected directly via Elastic integrations to AWS or by collecting them from S3 buckets. The collection of logs for anything outside of this such as network devices, can be challenging. The best method typically falls back to sending the logs via the syslog protocol to a syslog server solution ( be careful here since syslog solutions at best can only be ‘mostly available’).  Since syslog protocol can not provide high availability SIEM companies have tried to at least make management of the syslog solution a bit easier for the security engineers. Splunk released the SC4S container syslog method which we do recommend using if you are a Splunk shop.

4. Ensure that the logs are being parsed and normalized. IE: Use the Common information Model for Splunk to normalize the data.

5. Detection Engineering. Don’t reinvent the wheel there are many detections already written by teams such as Splunk, Elastic, and SIGMA. Deploy your detections following engineering steps. Have a testing, implementation, and backout plan for every detection search.