Security Information and Event Management solutions are generally only deployed based on compliance controls or legal requirements. While they are one of the best ways to get a handle on your security posture in real-time, they can also be costly and complex to manage. As with all IT Security solutions, constant care and feeding is required for a SIEM to deliver meaningful and actionable intelligence.
Choosing the right software and hardware solutions and whether to use a SaaS, On-Premise, Public or Private cloud implementation is a complex process that needs to include several stakeholders within your business. Determining the alert thresholds, business impact priorities and data classification templates to use involve several criteria. The criteria includes not just controls for compliancy’s like PCI, HIPAA or GDPR but also the emerging state and federal privacy laws. Adding in the variable of vastly increased Cybersecurity Insurance attestation requirements makes the process even more complicated.
Once you have all your systems reporting into the SIEM the ongoing challenge is to wrangle the volumes of alerts and logs that get generated into meaningful and actionable alerts. Perhaps more important, you must filter out the information that is not meaningful or requires no action. You invariably will find yourself spending so much time managing the SIEM that it creates a gap in your remediation of critical issues and internal service deliverables.
The prevailing value proposition for a SIEM is that it should be REDUCING your workload. The devil in the details that is often overlooked is that to accomplish this lofty goal it requires ongoing management and maintenance of the SIEM and the alert thresholds. We do this for our clients as well as provide real-time co-pilot remediation services. Co-piloting means that a security engineer from our team will stay with you from start to finish, as required, until the issue is resolved.
Your SIEM reported a user clicked on a link in an email that lead to an unsanctioned file sharing service. We will hang out on the phone with you while you speak with the user that clicked on something they should not have. We will even communicate to the user for you if desired.
Your SIEM reported an Indicator of Attack from a country you do not do business with. We will work with you AND your firewall vendor, as required, to create a firewall rule to block the offending traffic. We can also do it for you if desired.
Your SIEM reported a user that usually logins in from San Jose using the desktop version of Outlook but today logged into Outlook on the web from Amsterdam. We will work with you to investigate the issue and make password changes as required. We can even run an audit against your Microsoft 365 or G Suite implementation to confirm that the correct controls are in place to facilitate things like MFA or DLP.