Demystifying SIEM Projects: A Holistic Guide to Success in Cybersecurity

When initiating a SIEM project, it is imperative to define objectives and goals as a primary step. These objectives should be closely linked to business needs. For example, if your company operates within the government sector in the USA, consideration must be given to the “M-21–31 MEMORANDUM.”

This memorandum stipulates that log must be kept live for one year and archived for 1.5 years. Failing to account for the cost of disk storage can lead to vastly different project outcomes. Whether the objective is to provide Security Operations Center (SOC) services or establish an internal SOC team, insight from organizations like MITRE can provide a significant advantage. MITRE recommends retaining logs for up to two years. Similarly, compliance with other regulations or laws and their implications for company operations are crucial considerations.

Furthermore, addressing issues such as log dropping or missing, as listed within OWASP’s top 10 risks, warrants alignment with resources like the SANS EPS calculation table.

Additional factors to consider include predefined correlation rules, adherence to regulations in rule-writing, real-time correlation versus search-based detection, detection as code, and the utilization of ML models. It is essential to ensure that the selected SIEM solution can effectively ingest and process data without dropping or missing crucial information.

Data sources may include logs, network traffic, cloud services logs, custom logs, databases, and more. Exercise caution when filtering SIEM log/data sources, as the data you filter out today may be essential tomorrow. Additionally, estimating the volume and growth rate of generated data is critical. Intelligent data management capabilities of SIEM products must be considered to prevent issues arising from disk cost or managing large volumes of logs.

Deploying a SIEM product should not be a lengthy process. Having both on-premises and cloud support can be advantageous. To ensure smooth installation, prepare a list of approved log sources before commencing the project. Accurately allocate system resources using well-established calculations such as the SANS EPS table. Evaluate the required skills, time, and team resources needed for the project.

It’s important to recognize that SIEM solutions come with expenses for installation, licensing, and maintenance. Annual license renewal or leasing/subscription expenses may apply, along with hidden system resource costs. Failure to account for these costs can lead to unforeseen budget constraints. For instance, differing disk size requirements between SIEM systems can result in significant disparities in disk costs. The same applies to CPU and RAM usage.

When selecting a product and vendor, support quality is crucial. Consideration should also be given to potential hidden costs, customization capabilities, and speed of the vendor’s services. End users should be wary of false assumptions driven by brand power. For example, platforms like Splunk [1,2,3,4,5] and Microsoft Sentinel [6] may have limitations in real-time detection correlation support.

Other factors to consider include incident management, User and Entity Behavior Analytics (UEBA), scalability, product stability, ease of use, and ease of customization with minimal learning curve. Overall, a comprehensive approach to SIEM project planning is essential for achieving success in cybersecurity endeavors.

References:

1. https://community.splunk.com/t5/Splunk-Search/Real-Time-Search-Issues/m-p/423805

2. https://answers.splunk.com/answers/433872/why-are-real-time-searches-not-running-and-getting.html

3. https://medium.com/@clong/splunk-building-dynamic-lookup-tables-a593261569

4. https://docs.splunk.com/Documentation/Splunk/latest/Search/Realtimeperformanceandlimitations

5. https://answers.splunk.com/answers/671819/real-time-alert-1.html

6. https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules