In our first post, we looked at how to prepare for migrating a security information and event management (SIEM) platform. The second post covered the middle phase of executing the migration. This post presents the final phase: assessing the migration. The steps in this phase are where you determine how well the migration is working according to your strategic plan. This phase also helps you tune operations of the SIEM to improve efficiency. By carefully assessing SIEM operations, your organization will receive maximum value from one of the most critical tools for securing a large enterprise.
Steps for assessment
Establish benchmark criteria
Establishing benchmark criteria for the new SIEM will help your organization measure and evaluate its performance. Benchmarks should employ criteria in the framework or frameworks currently used by your organization. This could be ISO for compliance, PCI DSS for payment security, and operational benchmarks such as search times, mean time to detection, mean time to response, number of alerts closed, and so forth.
A modern SIEM’s analytics will often dramatically reduce the number of alerts generated by a legacy SIEM, so it’s important to choose metrics carefully in order to accurately gauge success. It’s a different way of thinking as analysts will be used to the old idea of “more alerts are better” (even though they were swamped by the volume of often meaningless noise). The quality of alerts and associated situations presented is vastly more important than quantity, and it may take some time to acclimate to this different approach.
Benchmark criteria can be used to score use cases in a manner similar to a heat map. As the migration proceeds, SOC managers may first see lots of reds for a short period of time. As machine learning analyzes log feeds, more colors will turn yellow; as analytics mature, greens will show good coverage. Color coding benchmark criteria will visually show SOC managers how well the SIEM is aligned with business objectives addressed by each use case.
Tuning is an important aspect to benchmarking, which entails supplementing Red Team attack exercises by using the new SIEM to test use case assumptions. Testing will help identify where misconfigurations and other issues are hampering accurate detection. To a large extent, a modern SIEM uses analytics to mostly tune itself.
Timeline: Step 7 typically takes two-four weeks.
Evaluate next steps
The last strategic step of SIEM migration is evaluating next steps. A legacy SIEM typically requires SOC analysts to constantly adjust thresholds and alerts to keep monitoring accurate. Migration to a new SIEM with behavioral analytics enabled with machine learning does away with rule tinkering. This will allow your SOC team to focus on developing new use cases as business priorities change.
We suggest a rotation of every few months to review the use cases, determine which are useful, and which may need additional tuning. Attack simulations will help address improvements to achieve business objectives with the new SIEM. If your organization does not have Red Team capability in-house, consider turning to outside resources because attack simulations are essential for ensuring the quality of security processes.
Finally, we urge your organization to use the eight-step SIEM migration model as a continuous process to help ensure strong security for your enterprise.
Timeline: Evaluating the next steps is an ongoing task where the effort will wax and wane as circumstances change and new use cases are prioritized. Post-migration, you should be on the lookout for opportunities for constant process improvement.
As we’ve mentioned at the start of our blog series, migrating a SIEM is a project that involves multiple steps and involves numerous people, processes and technologies. A typical migration takes seven-eight months. However, many factors can influence your timeline. A few of the most significant influences on timing are your choice of use cases, dependencies on others (including senior staff to outline the business priorities and other security and IT staff to provision log sources and infrastructure), and the willingness of the security team to change their work habits to take advantage of the capabilities of your new SIEM. As a result, the timeline for a SIEM migration can vary considerably, from 3-12 months. Example timelines for a short, typical and long migrations are shown below.
Making your SIEM migration a success!
Our series on SIEM migration has presented eight strategic steps to help your new SIEM unlock fresh capabilities bringing stronger security to your enterprise. We hope Exabeam will play a prominent role in your choice. To get additional help, we invite you to watch our webinar, “Eight Steps to Migrate Your SIEM.” Or download our white paper, Eight Steps to Migrate Your SIEM. These sources will provide you with more details to help guide the migration process.