Building Business and Technical Use Cases for the Modern SIEM

By Nils Krumrey, Cybersecurity Expert, Logpoint

Security incident and event management (SIEM) is a tool that provides monitoring, detection and alerting of security events or incidents within an IT environment. It provides a comprehensive and centralized view of the security posture of an IT infrastructure and gives enterprise security professionals insight into the activities within their IT environment.

SIEM software collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices, such as firewalls and antivirus. The software then identifies, categorizes and analyzes incidents and events. The SIEM analysis delivers real-time alerts, dashboards or reports to several critical business and management units.

The modern SIEM scales with your infrastructure requirements and improves capabilities for external and internal threat discovery and incident management. According to Gartner, this includes targeted attack detection, user activity monitoring, application activity monitoring, profiling and anomaly detection, threat intelligence, effective analytics and incident response features to mention a few. But in these tough economic times, it can prove even more difficult to secure spend. So how should you go about building the business case for SIEM?

1. Stabilization of IT Operations

SIEM helps businesses solve problems faster and more efficiently. By identifying problems before they have an impact on critical systems, businesses will be able to reduce downtime, which can have a positive impact on revenue and productivity. SIEM solutions enable businesses to investigate incidents more quickly.

With logs that are more accessible, businesses can free up the time needed for investigations and reduce the manpower needed to complete them, ultimately reducing the cost for running IT operations. Lastly, by identifying the root cause of issues within IT operations, organizations can decrease the number of security incidents that occur, resolve issues faster, enable greater productivity by optimizing IT infrastructure and increase both performance and reliability.

2. Secure your data

SIEM enables greater visibility into what is occurring within your network, which is critical for helping businesses avoid loss of data or disruption to their services. High-level dashboards decrease the risk of breaches by offering simple overviews of suspicious activities across a business, and provide insight into potential brute force attacks, data loss prevention, data theft, compromised accounts and change monitoring. Optimizing compliance is important for any business.

With SIEM, businesses can better monitor important processes and set up automated reports, which make processes related to General Data Protection Regulation (GDPR), the International Organization for Standardization (ISO) and Payment Card Industry Data Security Standard (PCI DSS) and other regulations and standards bodies quicker and easier. Lastly, SIEM improves detection and response capabilities by enabling businesses to quickly react to incidents. In addition, SIEM offers increased visibility and anomaly detection, helping businesses avoid or limit the losses occurred during and after breaches.

3. Gain new business insights

By having all your systems’ log data available within the SIEM, businesses can index all data and analyze what is happening across an organization at any time. Any activity can be benchmarked against what a business determines is normal and can be compared to any previously processed data. By doing this, businesses increase visualization, making it easier to pinpoint what activity is deemed normal and what is not, which can help IT teams make better business decisions.

When analyzing logs, businesses can also improve non-security areas. Service desk performance and enablement can benefit by decreasing time to resolution and IT spend by analyzing logs from storage or printers which provides insight into where usage can be optimized. Downtime can be predicted, by pinpointing when a piece of equipment needs to be repaired to avoid potential downtime, and business processes can be streamlined by simplifying them with data-driven insights that provide data on trends within an organization so costs can be saved, and tasks can be automated.

4. Optimize business processes

SIEM drives increased revenue by providing better visibility into what is occurring within businesses on many levels, both internally and externally. For example, calling a customer just before a product needs maintenance or identifying unmet needs can both save costs and lead to upsell or service revenue opportunities.

SIEM improves business optimization and innovation by offering teams the ability to determine what changes need to be made to optimize specific business processes. In addition, you will be able to gain contextual awareness by enriching your data with the right information, giving your organization a better understanding of what is tying up resources. This leads to increased user and customer experience and can give your organization the insights needed to create new initiatives that improve value both internally and externally.

Business case vs technical use case

There are key differences between business use cases and technical use cases. While a business use case is often high level, strategic and provides rationale that can help to secure executive approval and funding for SIEM deployment, a technical use case, on the other hand, is often highly detailed and helps operationalize the SIEM in order to achieve its business goals but it is equally important. To determine technical use cases, consider the following:

1. Define the scope of your deployment

When choosing a SIEM solution, businesses should consider organizing a workshop, either internally or alongside a SIEM partner, to define and agree on the project scope and timeline. To define the deployment’s scope and timeline, businesses need to identify, and more importantly prioritize, an initial list of use cases to dictate what the necessary log sources may be. In addition, it is important to agree upon a timeline for deployment to ensure the SIEM is aligning with the business’ overarching goals.

2. Determine your priority data sources

Once the team has a handle of the ideal project scope, teams can then identify log sources within the scope to determine how they can obtain the relevant information needed. For example, firewalls, intrusion protection systems and antivirus software, all serve as prime data sources for SIEM, but there are many more. It is important that businesses prioritize the sources that will be included to ensure the SIEM provides the most accurate security protection possible.

3. Identify the high priority events and alarms

When it comes to protecting an organization against both insider and outsider threats, IT and security teams are often presented with an ever-growing list of security events that need to be analyzed and acted on. To break through the noise, SIEM can be used to make events and alarm data more insightful than ever, but businesses must first determine what their high priority events are and how they are derived from applications and devices within the infrastructure. This way, teams can use the SIEM to spend more time on the events and alarms that may be more damaging to the business and its data.

4. Pinpoint your key success metrics

A successful SIEM implementation and deployment is directly correlated with what a business’ goals are. It is important that key success metrics are determined prior to deployment to ensure maximum ROI. For example, reducing information theft or improving how businesses monitor for potential intrusions or infections may be metrics to establish, but there are many others. It is important that businesses determine what success means for them and how the SIEM can be used to achieve it.

5. Identify all environments you need to monitor

After you have identified your key use cases for a SIEM, you will need to identify and monitor all the assets that are relevant for achieving your business goals. This includes all network devices that process security-relevant information such as routers, firewalls, web filters, domain controllers, application servers, databases, and other critical assets within your business’ IT environment.

Once you have identified the assets and environments that need monitoring, you will also need to know who the bad actors are, what events to focus on, how to respond when threats are detected, where these threats are in your environment, and why these are the biggest threats to ensure your team is finding threats and addressing them correctly.

Your SIEM use cases may relate to passing your next compliance audit or protecting the company’s intellectual property. You should consider all of the critical applications and data your business relies on to support customers and keep business operations running. Consider which applications house data that might be the target of cyber criminals or which applications contain data that may impact your compliance status (e.g. credit cardholder data has implications for PCI DSS).

Evaluating possible solutions

There should be a clear step-by-step process in place for evaluating and selecting a SIEM. Firstly, is the initial review. Determine the set of vendors you will evaluate and ensure those on your list provide the solutions and support needed to help your business achieve its goals. If possible, choose at least two or three vendors that your team will invest their time and effort with during the proof of concept phase. Know that not all vendors will qualify for an investment of your team’s time and attention during an in-depth technical evaluation, so it is important to understand which providers will give your team the time and effort it needs to ensure a solution is worth investing in.

Secondly, try it in your own environment. Develop key evaluation criteria for each SIEM vendor you are exploring. Have your team run through test cases to ensure that the SIEM works as expected and addresses key technical requirements and satisfies your business goals. Look for vendors that offer a free trial so you can go through the deployment process before making a final purchase. Design test cases that are as close to your business’s real-world priority needs as possible. By testing and gathering feedback, you will find out how easy (or difficult) the process is from installation to insight with the SIEM, which will ensure that you choose the right solution for your unique business needs.

Thirdly, gather and analyze all results from evaluation assessments and team feedback to determine which SIEM vendor is right for you. Be sure to evaluate subjective criteria such as rapport with the vendor team, as well as what their support hours and customer policies may be. While the technology backbone is of utmost importance, ensuring you have the right team behind you can make the SIEM work even better for your business. Include all key stakeholders in this process and document key reasons for selecting the chosen vendor. Feedback from both leadership teams and those who will be interacting with the solution on a regular basis will be important information to know, especially because it may come in handy at renewal time.

During the purchasing process, it is vital to explore your needs fully with the vendor. Key questions might include, what can I do if I do not have all of the external security technologies in place
that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, etc.)? What is the anticipated mix of licensing costs to consulting and implementation fees? How many staff members or outside consultants will I need for responding to SIEM alerts and managing the system overall? How long will it take to go from software install to security insight? How many staff members or outside consultants will I need for the integration work? Do alerts and alarms provide step-by-step instructions for how to mitigate and respond to investigations?

Other considerations

There may well be other criteria that influence the decision. A key one is Time to Value. When you choose a SIEM solution that is already integrated with other essential security controls, you significantly reduce the time and effort required to procure, deploy, integrate and configure multiple point security tools. Instead, you can deploy quickly and realize a faster time to value. Security-focused SIEM solutions often include pre-built correlation rules to detect malware and more, so you can begin to detect threats on day one.

Similarly, cost savings will also be a prime concern. A unified SIEM with integrated offerings generates upfront and ongoing cost savings. Instead of having to deploy, monitor and maintain multiple point security and compliance tools, a unified solution can provide a single view for complete security monitoring and compliance management. This approach enables resource-constrained IT security teams to achieve a strong security posture with fewer resources.

If you do already have some of these core technologies in place, then you will want to clearly understand what it will take (how much time, money and effort) to integrate them with your SIEM and maintain that integration as things within your business change. Be sure to ask your SIEM vendor how they approach integration with other tools (including costs), and how long this part of the deployment is expected to take.