We’ve already written about how, since a medium-sized company is an attractive target for cybercriminals, it can’t be protected with just basic tools; it needs layered defenses. And a security information and event management (SIEM) system is a logical choice for a main center for such a multi-protection-layer system. But how should a full-fledged SIEM in a company with 500 to 3000 employees be implemented? Today we tell you how, and as the title to this post suggests – it’s best done phase by phase…
First of all – choose an SIEM solution
This one’s easy: pick one of the few relatively inexpensive commercial products suitable for medium-sized businesses, or a “free” open-source solution. Why the quotation marks, you may ask. Because although the license costs nothing, the implementation will consume significant resources and a lot of your infosec team’s time. You’ll need much, much longer (several-fold) than you would for implementing a commercial product — both before and after you go live. Without going into the details, let’s just say that there are no complete out-of-the-box open-source SIEM solutions. You’d have to assemble one from available components, adjusting them to be interoperable: an ELK stack or OpenSearch storage, collectors and agents based on one or several OSSEC/Snort/Suricata tools, investigation and response tools (Mozdef), and so on. The popular OSSIM and Prelude projects are likewise each a compilation of different tools, so supporting these is by no means easier, while scaling options are constrained by your IT/infosec team’s available time and specific skills.
Hardware is another thing to consider besides the direct software costs and person-hours. All but a few SIEM systems are quite demanding on hardware, and you’ll have to purchase or rent a server for the go-live specifically.
The Kaspersky Unified Monitoring and Analysis SIEM platform, with its best-in-class performance, is a welcome exception. It boasts sensible hardware requirements and also support for virtual deployments. You can deploy it on a single server or distribute it across the organization if needed by spinning up a collector in each of your offices.
Define data sources for SIEM
You need to work with your business to identify what to monitor with the SIEM. This isn’t as trivial as it may sound: besides helping you catch hackers, a SIEM can keep an eye on many other events, such as server overload or even some business performance metrics like the rate of inventory issue from a warehouse. Network devices, servers, ordinary computers and applications can all be data sources. Detailed planning of data sources ensures that the SIEM solution is properly configured and able to monitor all critical assets. EDR is typically the primary source, as it provides detailed information about server and workstation events structured in an infosec-friendly way, while generating little noise of irrelevant alerts. We obviously recommend Kaspersky EDR Expert, which can feed SIEM with both raw events data and detections associated with complex attacks.
Configure the SIEM solution
With the list of data sources approved, you now need to configure your SIEM solution to collect and analyze security data from those sources. This includes installing data collection agents and setting up correlation rules to identify potential security threats. Nearly every SIEM system comes prepackaged with default correlation rules – but they have to be adjusted to the company’s realities. After the initial setup, some rules will require correction: you need to thoroughly test the situations of both an excess and a lack of alerts.
Train employees
SIEM solutions require trained personnel for effective management and monitoring. The infosec team at a small company typically consists of generalists – jacks of all trades. Therefore, each member of the team should be proficient in the basic SIEM skills. Luckily, an SIEM system saves time on routine work such as searching for applications storing outdated passwords or triaging the backlog of notifications in your inbox. This motivates everyone to use the new tool.
Support the SIEM system and keep it up to date
SIEM is a living and breathing tool that needs regular support and adjustments as an organization grows and evolves. Noisy and ineffective rules must be deprioritized or deactivated, and further correlation rules designed to recognize new threats must be tested.
You can learn more about the Kaspersky Unified Monitoring and Analysis platform and request a demo on its official web page.