By Jeff M. and Kate R.
Recent high-visibility cyber attacks have reinforced the need for stronger cyber defenses across our national infrastructure. In February 2021, a water treatment plant in Florida was hacked and the sodium hydroxide was briefly increased in the water to deadly levels. In May 2021, a ransomware attack was unleashed on the Colonial Pipeline resulting in them shutting down their oil production/distribution for nearly a week and gas prices subsequently spiking along the east coast of the United States.
As part of a holistic cyber strategy, organizations often implement Security and/ or Network Operations Centers (SOC/NOC) which are proactively monitoring all facets of the enterprise’s virtual and physical infrastructures. A vital bedrock capability in any effective SOC/NOC is implementation of a Security Information and Event Management (SIEM) capability. As a follow up to June’s article, “Network Operations Center/Cell Considerations in Physical or Cloud-Based Environments,” it is imperative to drill down further into the topic of SIEM tools, what they are, and how to choose a tool that best suits your client’s needs. Below we dive into this in more detail based on our lessons learned at client sites and across industry.
What is a SIEM tool?
SIEM tools are widely used through the industry…but what are they and why do we need them?
The purpose of a SIEM tool is to aggregate event logs from multiple sources into a central location and provide searching, correlations, alerting, and response capabilities. Logs are great sources of security events but, unfortunately, logs come in a variety of formats. SIEM tools collect and normalize logs from multiple sources and vendors which makes it easier for the tool to then search and alert on security events. Typically, a SIEM tool is implemented to search for security-related log entries but can be leveraged for any logged event. For example, you have multiple AWS accounts, and your Cybersecurity team wants to know when a user logs in. The SIEM tool ingests the CloudTrail logs from each AWS account and looks for the “Logged In” event in the log entries as they are ingested. Once an event is detected, the SIEM tool can be programmed to take actions. A username could be correlated with a list of recently removed employees to ensure no previous users still have access and an alert sent out, or an alert could be sent to Cyber to take other actions.
What to look for?
Requirements vary but some of the most common things to consider are which log sources or vendors the tool supports out of the box. While all SIEM tools require some customization, the broader the support the better. Are you only ingesting logs from on-premises or are you also in the cloud? Most of the major SIEM tools support cloud capability. Some tools have plugins you can download or purchase to provide ingestion capabilities from other log sources.
Another feature to look for is the various types of detections that come out of the box. Detections are the events the SIEM tool scans for. A tool may be inexpensive up front but by the time you have written all the basic detections, you may have tripled the cost of the product. Given there will always be additional detections any organization will want, the more information you can gather from the start, the better.
In addition, an important consideration is around deployment methodologies. If your organization’s infrastructure is cloud-based, you may want containerization capabilities like Kubernetes or Docker. Are you using Infrastructure as code and using Terraform or CloudFormation for deployment? Some tools may require a physical device which could cause issues in cloud or other virtual environments. Another consideration is Software as a Service. This removes the burden of infrastructure maintenance but requires slightly more complex networking.
As this is a security tool, securing the tool itself should be of paramount importance. You should look for a tool which supports two factor authentication at a minimum. Other types of security to consider are CAC authentication, log encryption, and Role Based Access Control (RBAC). RBAC will help a great deal in the delineation of tasks leveraging least access requirements. If the tool requires an agent on all the servers there may be a performance hit on that server. Additionally, the data should be encrypted during transfer to the destination.
What is the cost?
While there are free or low cost SIEM tools out there, you also should consider the interface itself. Standing up a SIEM tool, ingesting all the logs, and writing the needed detections takes considerable effort. Having to build out an entire dashboard from scratch means those efforts are not going where they could be more readily used. The visualization component is often thought of as a nice-to-have extra; however, proper User Interface/ User eXperience (UI/UX) is critical for timely response. If your SIEM tool performs the proper detections but an admin cannot see the alert, then the tool is of no value. Further, your clients will typically want a Single Pane of Glass view they can look at.
Speed is another critical consideration when evaluating a SIEM tool. How fast the tool can correlate and scan data will have a direct impact on response times. Speed is often tied into price with higher speed requiring more powerful infrastructure to support it. A corollary to that is expansion capabilities. An application may scale vertically but not horizontally which effects how the network is laid out for a given tool.
Support is an often-overlooked aspect of any tool. A product with no support can leave you at a dead end if something should go wrong. Support should provide an ability to track cases, professional services should they be needed, and enforceable Service Level Agreements (SLAs). A phone contact is also a large plus. If a tool is only ticket-based with email, you are dependent upon the support desk and have no way to escalate a ticket in a critical situation. What support is included in the price may be a game changer. Check to see if the support has more experience in your needed space – federal or commercial. Finally, what is the support cost model? If it is cost per ticket, then having an expert in the tool will be beneficial. Obviously, there is a tradeoff as the cost of the Subject Matter Expert (SME) will need to be considered.
There is another important financial consideration. While pricing is often a prime motivator, the Total Cost of Ownership (TCO) is usually far more important than the up-front cost. Included in that is the licensing model. Paying per GB ingested can get exorbitantly expensive rapidly, especially when adding the considerations for long-term storage cost and speed of processing. If the environment has fewer logs, this may make sense but as environments grow, the cost will get out of control forcing the decision between cost and which logs to maintain. Other SIEM tool models are licensed by node, which means more infrastructure and maintenance costs.
ActioNet partners with our clients to ensure their missions are both highly secure and resilient. We are committed to working with them to deliver and maintain the strongest security posture throughout the cyber lifecycle. Our experience reinforces our strong belief that having the right defensive measures in place – including a holistic SIEM tool – is a vital component of overall enterprise security readiness and response.