The Case for Managed SIEM


One of the first major projects that I was assigned to was a managed SIEM; we were in the process of onboarding a new customer who had just left another managed service provider. The customer was unhappy with their past service provider, “All they did was spit out metrics,” the Director of InfoSec confided. In fact, for this company we were the third managed SIEM provider that they had been with.

What is SIEM?

What is SIEM and why do customers choose to subscribe to it? Security Incident and Event Monitoring (SIEM) has become a staple product in the enterprise world for protecting businesses. SIEM takes all of the logs that your network switches, servers, routers, firewalls and other systems generate and consolidates them into a single pane of glass view. From the SIEM, a skilled security analyst can slice and dice that data in hundreds, if not thousands, of different ways to find indicators of compromise on your network.

What are indicators of compromise?

To defend against data breaches on your network, an IT security analyst looks for indicators of compromise: security events that when stacked, demonstrate with a high degree of confidence that your network has been compromised. Perhaps it starts one weekend with ‘failed login’ attempts to your VPN, then an escalation in privileged rights on your network. Within the hour, a large volume of your company’s sensitive data is transferred offsite to a server on the other side of the world – a known hot spot for cyberespionage. Each of these security events trigger an alert and each one would have a trained security analyst determining if these were normal or part of a larger attack.

Rolling out your own SIEM versus a managed service provider

Over a coffee, I had a friend once tell me he was thinking of investing in a SIEM for his mid-size company. He asked me what the cost was to get the infrastructure and run it in-house. I answered that acquiring the infrastructure is easy, it’s the setup and monitoring that is challenging for small- and medium-sized companies.

The business case for running SIEM yourself isn’t complex: you need at least one highly skilled IT security analyst to monitor and investigate the indicators of compromise. But you can’t just have one person monitor the SIEM, or they’ll get bogged down, and eventually they’ll want to go on vacation. Hackers don’t strike during business hours only, you must monitor your systems 24/7 and 365 days of the year. If these security events go unnoticed, a skillful hacker will take additional measures to cover their tracks (such as deleting logs or switching user accounts).

Each SIEM is a custom deployment

You can’t just throw in a SIEM and expect it to protect your network; it needs to be customized and tuned to report properly on your specific network. While SIEMs come with hundreds of great reporting features at installation, each customer network is different. Each SIEM device needs to go through a ‘monitor’ stage to identify and baseline normal traffic on your network. Often there are events, applications or misconfigured devices that can generate ‘false positives’ that look like an indicator of compromise, but in fact it is valid data and needs to be fixed, or ‘tuned out’ and ignored. This customizing and tuning of your SIEM takes about 45 days, as it needs to run through a full month-end cycle of transactions within your company.

Benefits of a service provider team and community

Having a skilled team of security analysts behind your SIEM means a faster triage and rapid response to contain a security incident. I have seen firsthand the fast response of a team, coordinating with a customer, as a large database started transferring offsite to a cloud provider. It turns out this single incident was an application developer conducting legitimate business; but it brought about other IT governance issues such as where data should be stored, how it should be ‘sanitized’ for offsite use, and what security controls need to be in place to safe guard the corporate data hosted in the cloud.

Using a managed SIEM allows for other interesting benefits. Patterns that are unique to malware can be easily seen across multiple customers. Our advanced Security Operations Centre (SOC) has been capturing and contributing specific traffic patterns to vendors and the InfoSec community to help improve detection of new strains/variations of malware such as crypto-locker ransomware. We’ve also spotted compromised websites, even in Ontario, that redirect customers within seconds to Russia, Romania and China hidden in the background of a web page. These redirections try to run malicious software against your computer, tablet or phone in the hopes of comprising your device if it isn’t up to date.

Respond quickly, respond effectively

Protecting your company from being compromised is challenging in this day and age. Not only do you need layers of defence, you also need to respond quickly and accurately to events that could take down your network. A managed SIEM is now a must-have tool within your security tool belt; it’s the fastest way to identify and determine if you have been breached.

Anybody can spit out raw data and metrics, but I believe that CDW’s workshops and network ‘business insight’ reports give you, the customer, actionable items to improve your security posture. Each month our SOC team sits down with customers to discuss events, identify tuning improvements and recommend actions that will harden your network against trending attacks.