Security analysis principles and techniques for IT pros

Grafvision - Fotolia


Basic SIEM analytics steps to know

Even basic SIEM analytics can get complicated. Learn three fundamental steps to take that will help you get the most out of your security information and event management tool.

Security information and event management systems are tools and services dedicated to improving enterprise security...

log monitoring, analysis and reporting. SIEM platforms bring together security-event log data from numerous enterprise security applications, as well as device operating systems and IT and business applications that are prone to attack. Organizations use SIEM systems for different reasons, including centralized security compliance reporting, identification of historical trends and patterns in security events, and detection of recent or current attacks and compromises.

All of these SIEM systems uses rely on data analytics. Most devices and applications that generate security log data don't have the ability to analyze the information for compliance violations, long-term changes or current attacks. SIEM platforms offer data analytics and can consider all the logs together to identify issues with different parts that were observed in multiple places. By piecing these together, SIEM platforms can discover attacks not identifiable by other means.

All SIEM products provide basic data analytics capabilities, but you may be able to improve the effectiveness and efficiency of these capabilities through some relatively small changes. Here are some tips for getting the most out of your existing SIEM system:

Reconfigure logging for other enterprise security controls. All enterprise security controls, such as firewalls, intrusion prevention systems, antivirus servers, endpoint security suites and mobile device management (MDM) technologies, are capable of logging security events. However, these security controls often use default logging configurations. Adjusting enterprise security controls to log more details about a wider range of security events can lead to significantly better results from SIEM data analytics. Be careful, however, to test logging reconfigurations before implementing them in production. This will help you understand how they may affect performance and storage, both locally and within the SIEM platform.

Configure SIEM agents to log additional data. The quality and level of detail of security-event log data that operating systems and applications generate can vary greatly. An easy but often overlooked solution to this is to use SIEM agents to perform additional logging. SIEM agents can supplement standard logging in two ways. One is to log more details about observed events, thus providing a much richer picture of security-related activities. The other is to configure SIEM agents to automatically log additional information once a suspicious event is detected. Both of these enable the SIEM system's data analytics capabilities to draw more accurate conclusions about the security events much more quickly.

Optimize SIEM platform's understanding of data from security logs. A single SIEM system may need to parse log data from dozens or hundreds of types of log sources. Most SIEM systems have built-in knowledge of the significance of each log entry field for common sources, but the same can't be said for others, such as an organization's custom business applications. In these cases, the organization must invest the necessary resources to ensure that the original log data is transformed into a format that the SIEM product will understand completely. Providing the available context for each piece of log data may involve customizing the SIEM platform or even developing custom code to help retain the original context when converting the log data to a SIEM-readable format.

Next Steps

Criteria to evaluate SIEMs

Read our expert primer on vulnerability management

Learn more about tools to analyze big data

This was last published in August 2016

Dig Deeper on SIEM, log management and big data security analytics