As we celebrate our third major iteration of our Managed SIEM we wanted to take a look back and spotlight some differentiating factors when it comes to engaging with or managing your own SIEM. Way back in 2003 with our “Basic SIEM” we got a taste of what we were starting to develop and what would eventually be called our SIEM. We learned very quickly, it takes more than an application or a black box that you “set and forget”. It takes teams working together, steadfast processes, and continual but sometimes incremental improvements in your technology risk monitoring and response.

What is a Managed SIEM?

As technical people we often forget that not everyone knows acronyms. So, I wanted to start off by talking about what SIEM stands for and what it actually is. Security Information and Event Management is what we refer to as SIEM. We manage this for our Clients as part of our Managed SOC… There I go again. SOC stands for Security Operation Center; where our Data Security Analysts “watch” our Clients networks for any security or policy incidents.

Some see a SIEM as just a large database. As a data driven person myself, I just love that aspect of it… having all your relevant data in one place where you can pivot, follow, and threat hunt. However, we believe it’s much more than that. We believe it’s the central point where all those security processes converge.

Three Teams and a Managed SIEM

Now that is out of the way, I’d like to talk a little about an idea we call Three Teams and a SIEM. If you haven’t viewed it yet, check out our Three Teams and a SIEM talk, and then movie, we produced that goes into even more detail and at a high level it offers these key insights:

• Monitoring risk is crucial to protect customer information and prevent unauthorized access, as threats can exploit vulnerabilities and unknown threats can exploit unknown vulnerabilities.
• Compliance is one reason to monitor risk, but it is also essential for identifying and addressing change management issues, denial of service issues, and compliance deficiencies.
• The cyber kill chain provides insights into the different stages of an attack and highlights the role of a SIEM system in mitigation efforts.
• SIEM leverages thousands of signatures to identify potential threats, and monitoring for unknown threats is necessary due to the presence of unknown vulnerabilities.
• Monitoring risk helps to identify and investigate potential threats, even if they have a low probability, as it is crucial to be proactive.

There are many different ways to define technology risk management. We like to divide it into three interactive processes that are executed on a cyclical process. Here at infotex, once a year we do our Gramm-Leach-Bliley Act (GLBA) risk assessment. Additionally, when new risk appears, we measure it and decide how we’re going to respond.

The Three Teams

The three teams we see making up this trinity of information security, otherwise known as Risk Monitoring Team are:

• Your Internal Technical Team; boots on the ground responsible for responding to day-to-day concerns.
• Your Incident Response Team; holding the people and processes responsible in your Incident Response Plan.
• And last but not least, typically a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) with a Managed SOC. Depending on the engagement and complexity of the environment, they may be responsible for MDR (Managed Detection and Response), endpoint protection, infrastructure health, and in many cases an MSSP will have its own Managed SOC and SIEM that they use to monitor your activity.

We want to monitor both the response to the risk but also, we’re going to look for the threats exploiting vulnerabilities that we found when we measured the risk. We also must look for unknown threats exploiting unknown vulnerabilities.

It takes a Team

A SIEM on its own does little to improve your security posture. Without the three teams, even the best SIEM can’t replace grey matter and the processes and people the teams provide. A SIEM can be collecting and categorizing every security event in your environment and with no one watching… well.. you know what they say about a tree falling in the forest… Though in this case it’s not just a philosophical question. If that tree has “fallen”, we want to know. And we want to know when, who cut it down, where they cut it down from, what they used to cut it down, and how long it took.

Those three Teams are starting that circular process over and over again. Monitoring the Risk, Measuring the Risk and Mitigating the Risk. That’s really hard to do when you don’t even know what the risks are, that’s where well-trained teams, a well-tuned SIEM and your Incident Response Plan come in.