8 ways to get more life out of an old SIEM

Can't update your old security information and event management system now? Use this advice to maintain its effectiveness.

porting converting change update renew trees
Thinkstock

As the COVID-19 pandemic drags global economies to a halt, enterprises are having to tighten their belts across the board, including in IT. In May Gartner predicted that worldwide IT spending will decrease by 9% in 2020 compared to last year. According to a Barracuda survey released in May, 40% of companies have cut their cybersecurity budgets as a cost-saving measure to help tackle the COVID-19 crisis.

This means that cybersecurity teams might postpone planned upgrades to core security systems, such as security information and event management (SIEM) platforms. SIEMs are the heart of many enterprise security operations centers, pulling in security-related data from throughout the enterprise and helping security analysts identify threats.

As SIEMs age, companies start to see problems. Older platforms have a hard time ingesting and processing data from new sources, such as hybrid and cloud architectures and SaaS applications. They may also not have the latest analytics tools to spot suspicious behaviors or prioritize threats based on potential impact.

Older SIEMs may also have limits on how much information they can ingest economically, forcing companies to limit their visibility. Meanwhile, the threats aren't going away. Evidence shows that attackers are taking advantage of the pandemic to step up their activities.

According to the Barracuda survey, 51% of companies have already seen an increase in phishing attacks since shifting to a remote working model, 51% of respondents said their workforce is not proficient or properly trained in the cyber risks associated with remote working, 46% are not confident their web applications are secure, and 50% have allowed employees to use personal email addresses and personal devices to conduct company work.

Other research supports this bleak view:

  • In Crowdstrike’s survey of more than 4,000 senior global decision-makers – 83% of whom are now working remotely and 60% are using personal devices for work -- more than half say they received no additional cybersecurity training.
  • According to a BitSight report, home networks are 3.5 times more likely than corporate networks to have at least one family of malware.

What can companies do to improve their security posture without spending money they don't have on an SIEM upgrade? Here are a few things experts say can help enterprises get more life out of the SIEM technology they already have.

1. Fix your pipes

The first step to getting the most out of your existing SIEM is to look at where its data is coming from, says Ken Jenkins, founder and principal at EmberSec, a cybersecurity consultancy. These days, a lot of security threat data will be coming from employees working remotely. "When they're sitting in a corporate office, or in a home office, you need to be collecting different data," he says. "You're not going to be able to detect the same things at the endpoint now, especially if it's bring your own device. You want to look at things that are applicable to folks who are remote, such as how they're using VPNs and cloud services."

Jenkins suggests that enterprises start by prioritizing the feeds that are most important right now, and augmenting areas where there isn't enough data coming in. "Get rid of feeds that are just gobbling up subscriptions and licensing," he says. "If you have one feed over here providing the same insight as these three feeds there, we can cut those feeds off."

2. Add context to your feeds

If the purpose of the SIEM is to better detect incoming threats, enterprises can get more value out of the feeds that they do have by adding more meaning to the data. "Focus on getting more enrichments so you can get context to make decisions," says Jenkins.

Some third-party tools can bring in information from outside sources so that security staffers don't waste time doing basic research. "You want your analysts to spend more time hunting," Jenkins says.

There are even open-source or community driven threat intelligence lookup tools, says Landon Lewis, CEO at Pondurance, an Indianapolis-based managed security provider. If the existing SIEM supports the ability to leverage APIs, then they can use these tools for, say, lookups of bad indicators such as domains or hashes.

Another way to get more bang from existing feeds is to do some processing before the data gets into the SIEM by consolidating or normalizing data, for example. Not only does the analysis happen faster when people have better data to work with, but some companies will save money on the SIEM itself. "Legacy SIEMs that charge based on data volume can get very pricey," Lewis says.

3. Review SIEM processes

You'd think that a SIEM is a tool that should improve over time, but that's not always the case, says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. "What often happens is that the SIEM works on day one, but then, as more security gets added, the log volume increases and it becomes harder to separate alerts and false positives," he says.

Instead of an expensive upgrade, a review of existing processes may be a better option, Hahad says. Say, for example, a user login process generates false positives every day. "At first glance, it may appear that people are taking too long to authenticate," he says, but maybe there's a multi-factor authentication process causing an error. "Adding the data from this new process into the SIEM flow could remove these alert flags."

That would leave the analysts with less extraneous noise to deal with, just genuine authentication issues. Sometimes a process review and some minor changes can help get months or even years of life out of an existing SIEM, Hahad says.

4. Check your baseline

If an SIEM suddenly stops doing the job it was supposed to do, maybe the problem isn't in the SIEM at all. Maybe it was designed to work with certain baseline patterns.

Prior to the pandemic, employee and customers behaviors were probably very different than they are now, says Karen Panetta, IEEE fellow and dean of graduate engineering at Tufts University. "The thresholds are going to change," she says. "If I'm comparing today's behaviors to pre-COVID-19, that data won't make sense anymore." SIEMs that rely on analytics engines need to be retrained on a new baseline.

5. Shrink your attack surface

Suddenly having a new universe of devices, connections and applications to monitor can be overwhelming. Wouldn't it be nice to be able to turn back the clock? Maybe you can, suggests Panetta. "I hate to go back to the 90s when we had shared services," she says, "but security was wonderful because we all worked in this constrained environment."

Instead of trying to beef up the security around the platforms that everyone is using, why not try to create a secure environment within all those platforms? Virtualized desktops, mobile device management tools, or online portals can help simplify access and authentication across a wide variety of connection methods and remote working setups.

"It might be better to have everyone connect to a single secure site," Panetta says. "Your mobile device becomes a dumb terminal. If you can't guarantee security, you need to go with proven technology that is secure."

6. Check out analytics add-ons

The bigger, established SIEM vendors have ecosystems of applications that can be installed to run on top of the SIEM, says EmberSec's Jenkins. Cybersecurity vendors specializing in AI, machine learning or advanced analytics  often create an app instead of building their own SIEM from the ground up.

The capabilities of these add-ons vary greatly, Jenkins warns. "Garbage in still equals garbage out. If you don't have the right ingest, no advanced application you can bolt onto the SIEM will save you."

7. Look at automation

Depending on their platform, some enterprises will be able to add automation tools to their existing SIEMs. "There's a handful of vendors working on that right now," says Jenkins, though some of the tools can be costly. They can help alleviate personnel shortages, particularly for the most low-level, routine tasks.

Plus, if companies shrink their physical footprints as more employees work from home, maybe there will be some money in the budget, says Jenkins.

8. Invest in cloud add-ons

The attack surface has changed dramatically as a result of the pandemic, says Jenkins, with many corporate processes moving to the cloud. Lightweight cloud-based SIEM alternatives can help fill in some gaps and offload some of the work now done by traditional on-prem platforms. "In a perfect world, we'd like to swing all our remote users to a cloud-based SIEM," he says. "We totally take the bandwidth issues out of our hands and get the robustness of cloud to receive those feeds."

For the most popular hosted services, like Office 365 or online collaboration tools, sending the logs to a new cloud-hosted SIEM can be very simple. "In fact, a lot of the -cloud-based platforms have integrations that are API-based," Jenkins says.

The cloud can help organizations not just to collect more data, but to analyze and retain it, says Jon Oltsik, senior principal analyst at Enterprise Strategy Group. "We are seeing most deployments either in the cloud or with a cloud back end," he says. Cloud platforms, for example, can offer a variety of data pipelines and capacity or tighter linkage to managed services.

Lay the groundwork for a permanent transition

Whatever the short-term fixes might be, eventually they will have to evolve into something more permanent, says Jenkins. The pandemic may drag on for months -- or years -- but even if it doesn't, many changes that we're seeing happen today are going to be permanent. "I think there's going to be a lot more remote employees after this," he says. "It will never be the same."

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations