The rising tide of cyber-attacks and introduction of new regulations such as GDPR is driving a lot of businesses and government to adopt a Security Information and Event Management (SIEM) solution, but how do you make sure that your crown jewels are protected if you can’t identify what to look for?
A common approach to implementing a monitoring solution is the scattergun approach – ‘if we collect every log from event device then surely we’ll can see the unknown happening, right?’. As experts in the field, we’ve seen this approach many times and it is generally the first indicator that a project will fail, trying to find important log messages using this approach is like the old cliché of ‘finding the needle in the haystack’.
Most tools are priced on a volumetric scale, the more logs you want to collect, the more it will cost you. The correlation (pun not intended) here is that if you want to collect everything not only will you lack the intelligent content looking for the unknown, but it’ll cost you a lot more.
At Titan Labs, we’ve been strong advocates of the use case driven approach for years. We believe that by first defining what you want to look for, you can drive what logs you need to collect and reduce overall cost whilst increasing the intelligence within the solution.
Here’s 3 easy steps to get from a log consuming monster to a lean intelligent monitoring solution.
This should be the first step and can sometimes be the most politically awkward. The business drivers for a monitoring solution will change the answer to this question, however we recommend that the key decision makers should be staff who define the business risk rather than technical risk.
What concerns keep your CISO awake at night? What would cause large reputational damage to the business? These are the sorts of questions that should be driven out from this step. A common mistake is to ignore step 1, technical staff sit in on the meeting and you end up with risks such as the CPU on Server X reaching 95%. That’s not to say that isn’t a risk, but in the first instance, will he wake up at 2am to resolve that problem? Probably not.
This is the step where you can involve more technical staff such as IT and infrastructure managers. The CFO may have a concern about the sales and invoicing system being unavailable for 24 hours, but generally they won’t know where that system resides, how people access it etc. This step should start to drive the technical requirements out of the business risk, and subsequently the logs required to satisfy the use case.
We’ve built this approach into our tool TitanView to help users better choose use cases by building a library based off our years of experience running use case workshops. We want to cut down the time required to make decisions on use cases by guiding you through the process instead of handing you a SIEM tool and leaving up to you to do the rest.
Contact us to talk about how we can help guide on a better approach to monitoring security events.