become a hunter: fi nding the true value of...
TRANSCRIPT
Become a hunter: fi nding the true value of SIEM.
2The value of SIEM
When Security Information and Event Management (SIEM) hit the security scene, it was heralded as
a breakthrough in threat detection. However, SIEM is just a tool. While initially designed to bring data
together for a more comprehensive threat view, it has become, like many other security technology
solutions before it, reactive and siloed. SIEM gains its true value when coupled with expertise, becoming
one tool in the proactive hunt for actionable intelligence.
SIEM is only as smart as the people analyzing its data.SIEM is an excellent technology, and it is core to any security architecture. However, on its own, SIEM is
still a reactive tool layered on top of other reactive data-generating tools.
For SIEM to function to its promise – enabling security analytics to provide actionable intelligence – the
technology must be coupled with people. It’s people that can build the use cases that give SIEM context.
It’s people who understand the enterprise environment globally. It’s people who can take that global view
and progress towards actionable intelligence.
If organizations start from the premise that they have been or probably will be breached, reacting is no
longer enough. Organizations must become proactive hunters, constantly mining data and seeking insight
that inspires action.
3The value of SIEM
Actionable intelligence leads to executable actions: one organization’s journey to SIEM value. A major Canadian retailer had multiple organizations providing segregated pieces of its security, including a
reactive SIEM service, intrusion prevention and fi rewalls. As a result of the siloed nature of the solutions, the
organization’s security team struggled to uncover actionable intelligence.
The security team was leveraging the SIEM solution. Its SIEM provider had built rules and correlations
around SIEM that triggered reactions to certain events and generated alerts that were forwarded to the
internal security team.
However, with many of its security technologies being managed independently, there was little cohesion
between the different providers and the organization, as well as between the data sources providing security
posture information.
It’s an error common to many organizations as security has evolved – different technologies, going in
different directions, with little to no communication or interaction. Without interaction, a global view is
impossible, which makes it challenging to effectively mine the data.
The SIEM investment had been made, and the solution was functioning to a degree. But the organization
was not realizing its true value because the internal security team was still in reactive mode, rather than
being a proactive hunter.
The retailer partnered with TELUS Security Solutions. TELUS security specialists made some simple
changes to consolidate key components of the retailer’s security environment. They confi gured the SIEM
solution to report and alert on things that the organization prioritized. They then took the data coming out
of the SIEM solution and applied advanced monitoring. The resulting outcome was twofold – the TELUS
security team was able to apply threat information to the data and wrap it within the context of the retailer’s
environment.
With this change, the retailer has transitioned to proactive hunter -- creating a process whereby all security
alerts, major and minor, are being reviewed on a consistent basis. The security team now has a mechanism
for taking billions of points of data and transforming those into actionable intelligence that leads to
executable actions.
4The value of SIEM
Advice for aspiring hunters.In security, defense is important. Collecting data is also important. But hunting is critical – looking for
anomalies, understanding their causes and investigating incidents and events. It’s important to have a plan
to hunt proactively and respond proactively. TELUS security experts provide three key pieces of advice.
Take a programmatic approach to security.
Maturing along the continuum to actionable intelligence requires a programmatic approach to security. You
can’t have one without the other. What does that mean? It means that your security program must be built in
a holistic way. Over time, most organizations have been adding siloed solutions to solve problems. However,
perpetrators don’t take a siloed approach to their attacks. They look at everything – all tools and processes.
Looking at security from a programmatic perspective enables you create an interconnection between tools,
processes and people. With that interconnection, you can correlate data from your entire infrastructure,
whittle it down and examine specifi c components in order to identify real issues with potential impact, which
may not have been evident when viewing individual silos.
Take the leap of faith away from reactive to proactive.
By defi nition, all technologies are reactive. They are designed to react to an event or multitudes of events.
Organizations that are serious about security are getting serious about being proactive in their approach.
The irony is that they thought they were being proactive by implementing reactive tools, yet they only initiated
more problems by creating technology silos. Proactive is defi ned differently now. With the architecture and
technologies in place and doing their thing, it’s critical to inspect the data coming from different technologies
to understand what’s happening globally in your environment and to hunt for anomalies.
Empower your SIEM solution.
The SIEM solution itself includes:
■ Device monitoring, management and maintenance
■ Security alert notifi cation
■ Device tuning and optimization (understanding false positives)
■ Central log collection
■ Use case development and deployment, created in partnership with the client or business unit
■ Report development and distribution
■ Custom device support
True actionable intelligence comes from advanced monitoring and security analytics – compiling
data from the SIEM solution, customer environment (e.g. industry, location, political environment)
and security in general to determine whether an event is truly a security event. To maximize
the value of the SIEM, it is critical to consider:
■ Proactive threat intelligence capabilities for data analytics
■ Proactive research and profi ling
■ Log analytics and monitoring
■ Data contextualization
■ The business, its people, technology and processes
1
2
3
5The value of SIEM
Moving beyond SIEM’s technology capabilities.SIEM falls short of expectations and fails to deliver value when it is leveraged only as a technology. To fi nd
the true value of a SIEM investment and to position it as an enabler of proactive hunting, it is important to:
■ Leverage the power of SIEM to build strong use cases that address organizational gaps
■ Understand the output of SIEM and use cases to provide an actionable response
■ Provide advanced monitoring and security analytics to leverage the data within the context of the organization’s security environment
If you are thinking of deploying SIEM technology or have already deployed but are struggling to realize the
value of actionable intelligence, visit telus.com/SIEM to learn more about our SIEM consulting and management services.