Planning to Roll Out a SIEM? Do These 3 Things First
So, you’ve decided to invest in a SIEM. Maybe you’ve even chosen the one that seems to be the best fit for your organization’s needs. Soon, your security team will be awash in data, with real time insights coming in to one central hub from across your environment. Hackers and any other malicious actors will be hard-pressed to avoid security’s new, ever-watchful eye. Before that dream can come to pass, however, there’s still much to be done.
A lot goes into implementing a SIEM. Even more has to happen prior to implementation in order to position a SIEM for success and to ensure that the initial investment pays off. It’s these steps that too often are passed over and left until much later in the process, risking potentially costly delays when the finish line should otherwise be in sight.
Arraya’s Cyber Team (ACT) has managed and executed countless SIEM deployments, for all types of organizations. The following are three documents they’ve come to count on as essential to planning and delivering (relatively) stress-free SIEM rollouts. Creating and completing these documents, either on your own or with the support of ACT, can help bring similar results to your SIEM project.
Document #1: People Inventory
SIEMs generate a ton of data. They do that by interfacing with all parts of a technology environment. The more that’s connected to the SIEM, the more complete the picture it generates will be. Making those connections will require a total team effort. So, for example, if you want your SIEM to talk to your network, you’re likely going to need your organization’s network resource to help unite the two. Want your firewalls to feed into the SIEM? You’re going to need a hand or insights from the person tasked with managing them. The same goes for most areas you hope to connect. In some cases, these resources may be the same person. No matter who the point of contact is, your team – or whoever is preparing to spearhead the SIEM rollout – needs to know where to turn for support.
A People Inventory document can ensure that info is readily available. A simple Excel workbook can be used to create this tool. Down one column, list all of the disciplines you want connected to the SIEM. Moving across the row for each of these areas, note the name of the best person to contact with questions or to whom tasks should be delegated as well as contact details (such as his or her phone number and email address).
If responsibility for overseeing a SIEM implementation changes hands, a People Inventory offers a very high-level look at scope beyond providing a directory of all the project’s key players.
Document #2: Project Scope
Once you know who will be involved on a project, it’s time to figure out what will be involved, technology-wise. At this stage, you’ll want to begin gaining a greater understanding of what is on your organization’s network and what exactly that network even looks like. This process should be repeated for every network within a given location and across all applicable locations (if your organization is made up of multiple branch or satellite offices that will add feed into the SIEM). You’ll also want to explain the purpose of each network, e.g., this one supports our WiFi connectivity, this one connects our IoT devices, etc.
Again, an Excel workbook can be created to track all of this information. You can document the types of devices your organization is currently using, such as web/mail servers, database server and core/large firewalls. You can also mark down how many of each of these devices inhabits a network as well as offer an estimate on the solution’s usage levels. Note: It’s important to include SaaS platforms such as Office 365 in this document as well as other security solutions a SIEM will monitor. These solutions are all part of your organization’s technology footprint and should be recorded as such.
With the Project Scope document, the core idea is to start with a bird’s eye view of your network and to begin recording what you see.
Document #3: Detailed Technology Inventory
The last tool we’ll cover in this post is the more granular Detailed Technology Inventory document. This is meant to flesh out the initial fly-by of the Project Scope document. It’s where you’ll want to include things like product version numbers, basic IP addresses, host names, etc. The goal is to get into as much detail and be as exact as possible. At a higher level, it’s OK to be marginally off and go with rough estimates. In this document, you’ll really want to accurately map out your company’s technology landscape.
In the Detailed Technology Inventory, you’ll want to break down assets by type. So, for example, you’ll want to list out all of your Linux servers. Then, you’ll want to note things like the host name, the operating system, that server’s role in the network, etc. for each of those servers. This should be repeated throughout the environment to provide a photographic account of the technologies your organization utilizes.
This process can be invaluable later on as you work to bring a SIEM online. The resulting document can be used to determine things like how many firewall rules need to be made or if you have the correct amount of licensing. In turn, that information can act as milestones during rollout, allowing those working on the project to see just how far they’ve come and how much they have left to do.
It’s worth pointing out that the technology inventory can be completed in pieces, over the course of multiple passes. Trying to tackle it all at once, right before an implementation is set to begin, is a recipe for delays or errors. Furthermore, those that have an asset management system in place can use it to gather much of the data required for this document. In lieu of an asset management system, internal vulnerability can data can also be used to similar effect. Regardless of how it’s initially created, the inventory should also be a living file, one that is updated over time.
Next Steps: What else you need to know before powering on your SIEM
Interested in learning more about how to get your SIEM implementation off on the right foot? Or, do you want to begin the process of modernizing your organization’s cyber security posture? The Arraya Cyber Team can help. Our experts can provide the strategic insights and hands-on expertise needed to help you assess where you stand, where you want to be and to map out a way to close the gap between the two positions.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team now.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.