“I don’t know why my boss bought this. No one has time to use this!”
“I have enough people. But, no one knows how to operate this system, and vendors can’t help!”
These are common complaints of some of my previous customers. Perhaps they resonate with someone out there, as well. Either way, we are not too naive to think that our 24/7 monitoring protocol can be accomplished simply by purchasing a Security Information and Event Management (SIEM) system. When we talk about securing our organization, specifically in Managed Security Services (MSS), we are implicitly referring to three different elements. SIEM is just one of these.
Like the second example complaint presented above, my company once purchased a SIEM that fell under the top position in the SIEM Magic Quadrant. But, no one knew how to operate it. Why? Most of the time, a training package does come with a purchase. The problem is that the quality of the training package varies, and in any circumstance, it takes time for our staff to absorb and implement the knowledge gained therefrom. Thus, we need to make sure that the vendor is able to provide quality training and that they are willing to commit 100% to help when our staff is having issues with the product. Of course, a person who knows how to operate the SIEM is not enough for our MSS team. We need to have security analysts, incident handlers, and malware analysts, among other personnel. It is even better to have a developer on the team to assist with any automated tasks.
SIEM belongs in this element. Often, we will look for a product in the top position of its Magic Quadrant. However, that is not the case all time. There are lots of products to consider, and we need whatever solution we choose to perform its functions properly and reliably. Basically a SIEM collects all logs from our security devices that include firewall, IDPS, routers, proxy, etc. We need to ensure that the critical information stored on these devices will not be leaked by the SIEM. After all, if a router can have backdoors, the same possibility goes for SIEM. Also, we need to ensure that no data loss occurs, and that the logs are not intercepted during transmission. Different security environments require different technologies. Choose wisely!
Process connects people to technology. Without an efficient process, MSS will fail. We can create our own process or implement any existing framework to smoothen MSS. Based on my experience, Information Technology Infrastructure Library (ITIL) is a pretty good choice. The set of practices in this framework can be tuned to suit your MSS even if it is designed for IT service management. However, having an efficient process is not enough. You need to ensure that your team follows the process. As a result, the process should be codified in a handbook that all members in your team can remember and follow.
You need a team to secure your organization, not merely a product. Of course, it is undeniable that a good product can boost your team’s performance. So, next time you are about to buy a SIEM, make sure you consider the three elements listed above – People, Technology and Process.
By Ong Yew Chuan, Info Sec Enthusiast
An Information Security enthusiasm. Have 3 years of experience working in a Managed Security Services (MSS) company. Now working as a researcher in one of the public universities in Malaysia, focusing in security and social networks. Posed few professional certificates which included ECSA, CEH, CHFI and ITIL.