SIEM Optimization Strategies

Hello. My name is Robert Meyers. I am the Channel Solutions Architect for One Identity, and I am also a privacy professional. Today, we're going to talk about SIEM optimization strategies. So a security information and event management system are products that are used to combine security information and security events correlated in real time, and help you deal with events that occur. It's very simple, it's very important, and a cornerstone of security today. So let's talk about how they actually work. They collect logs so that they can analyze events. So logs are a little piece of data that's stored for identification of events. The problem is that you start collecting lots of information, and every time you use one you're building up costs. And there are a lot of compliance issues there, because certain bits of data should not be in a publicly accessible or even a restricted access environment. And you're creating leaks of data, literally huge data leaks like you would use for big data, to ingest and create this analyzation. So there's a lot of problems with the way a SIEM works. But at the same time, you really need to be able to control what's happening. So it's not an almost there, it's a necessity today. When you're talking about this though, think about what's changed in recent days. So the world changed. We all went to work from home as being a new normal. SaaS is currently the standard. IaaS is currently standard. But this has all been additive. Build more, add more. And what that means is there are more logs. Constantly more and more things logging information. And they're coming from everywhere. So you when you're dealing with SIEMs, you have to have a strategy. Now, I brought these into three different categories. There's the basic SIEM, which is the one we normally talk about. A compliance safe SIEM. It's a new concept for a lot of people, but it's really important in today's world. And then there's the data highway. The key here is to use the configuration that your company needs. So in order to help you do that, I broke them into phases. So phase one, that's where we start. And remember, everything here is phase or iterative. It involves both. Now we've got compliance safe SIEM, that's your phase two. And lastly we have the data highway. That data highway is the next generation. So in phase one, we're really talking about identifying relevant logs, finding your shortfalls, expanding your log sources. The more logs, the more effective a SIEM is. Always remember that. And then you have to constantly review and expand what you're collecting. So what kind of logs you really need to collect. Well, you've got security logs. Here's a few examples. Your IDS, your antivirus. Really the things that you think of when you start talking about security. These are really relevant, and you really need to keep them identified and growing. You bring in more things, they have to be brought in. At the same time, the networking tools. The most common thing I see that people ignore are things like IPAM. That thing that tells you what IP address you have. Your DNS systems. They need to be in there also. And of course, you always have to have your infrastructure. So if you look there, as we're floating through here we're seeing all types of server types. Then applications that you need to be collecting logs. Yes, you need your logs from Office 365. And then you move on to phases. You're now in phase two. Start thinking about compliance. So the key to compliance is that you have to redact information prior to it going into a SIEM. Now you may still need to have a copy of unredacted logs. This causes a problem. And that's where you end up looking at outside tools than the SIEM. But all that data has to have a lifecycle. If you don't have a lifecycle, you can never be compliant. And you have to constantly be looking at how the laws and regulations are changing. If you do not, they will catch you and you will not be prepared. So think about how important are regulations. Pretty important. Have you ever had a HITECH? It's a layer on top HIPAA. It actually directly requires logging, but most of us don't really think about that because, well, I have my SIEM. A SIEM is not a log collector. It is not just all your logs. It's meant for security. So think about all the different ways you can deal with regulations. And these regulations and compliance requirements are pretty large. I mean you look here, you've got your PCI requirements, your California Consumer Privacy Act, your FCC regulations, which is pretty huge, by the way. HIPAA. LGPD, which is in Brazil. You've got GDPR. PIPEDA in Canada. FERPA, thinking about education. And of course all those tons of banking laws. They are a huge amount of regulation, and you don't have a choice but to be compliant. It's not worth fighting. You have to figure out a way to do it. And this is where making a compliance safe SIEM is important. But there's always phase three. Phase three is something else. It's a little bit more forward thinking. The idea is you replace all your collectors. All those logging tools that you have for different applications. You use one. You centralize all that data into one pass through one data highway. And you send the relevant data, and just the relevant data, to each of those targets. For example, am I sending to Splunk? Yes. Am I sending to Elastic, maybe the Elk Stack? Yes. What are the others, could it be the Azure data link? Send what you need. And you know what, use not just the forwarder that's going in installing an application to forward. A lot of applications