SIEM Logging Best Practices

As the cybersecurity threat landscape becomes increasingly sophisticated, managed services providers (MSPs) should take extra precautions to protect their customers’ networks. A security information and event management (SIEM) system is an excellent choice for MSPs because it helps mitigates cybersecurity threats from two different angles, all from a single interface. SIEM collects information from multiple data sources—network data, threat intelligence feeds, compliance regulations, firewalls, etc.—and uses that data to power capabilities designed to help IT admins respond to threat events in real time.

In contrast to singular security control systems like asset management or network intrusion detection, SIEM allows you to dig deeper into security vulnerabilities by unifying information from disparate systems and offering unparalleled visibility into events that occur in your system. SIEM is not a threat detection system in and of itself, but it enhances the security tools you already use by providing real-time insights to build upon. If you put high-quality log data into an SIEM tool, you’ll receive high-quality security insights about your network. These insights can help make your network security protocols stronger and more precise.

Unfortunately, many IT administrators treat SIEM implementation like a “set it and forget it” solution. To experience the full benefits of security information and event management, MSPs should adopt a set of best practices to optimize said solution, beginning with security logging.

What are SIEM logs?

How does security logging fit into SIEM implementation best practices? If you break SIEM down to its core components, it’s a log management system. All the information a SIEM tool gathers comes in the form of logs, or records of events that occur within an organization’s IT infrastructure and network.

Examples of logs collected by SIEM include, but aren’t limited to:

• Firewalls
• Routers and switches
• Wireless access points
• Vulnerability reports
• Partner information
• Antivirus and antimalware

However, since SIEM tools are large in scope and constantly collect log data from everywhere in your system, they can be a little complicated and unwieldy to implement. SIEM best practices help MSPs avoid common pain points down the line by helping them use SIEM as effectively as possible from the get-go.

SIEM logging best practices

1. Start slow

The most common mistake MSPs make regarding SIEM implementation is trying to do too much too soon. Before you even start searching for a SIEM solution, it’s best to define the scope of your SIEM deployment and think about what you want SIEM to do for you and your customers.

Start by isolating objectives, taking stock of existing security protocols, and brainstorming how these protocols will fit in with your prospective SIEM implementation. You can also segment everything you want to monitor into groups and define how you want to monitor them—this can help ensure you have a bit of a game plan heading into logging.

Once you’ve done your homework, don’t deploy a SIEM system across your customer’s entire IT infrastructure just yet—do it piecemeal. Test out your SIEM solution on a small section of the system to see how well it works, demonstrate potential return on investment, and identify key security vulnerabilities that should be addressed right away. Easing into SIEM rather than jumping in will help ensure that logging works for you, not against you.

2. Think about compliance requirements

SIEM logging can help your business demonstrate compliance with security regulations and audits, but only if you know what those standards are ahead of time. Before you commit to a SIEM system, create a list of the HIPAA, GDPR, HITECH, and any other IT regulations you have to comply with. Then use that list to compare required regulations to the solutions you’re considering.

Not only will that narrow down your list of contenders, it will force you to consider the amount of log data you need. Keeping the amount you need to keep in order to remain compliant will also inform logging and monitoring best practices.

3. Adjust correlation rules

SIEM correlation optimizes SIEM implementation for MSPs by allowing them to configure SIEM to the unique needs of their clients. SIEM works by collecting data from multiple sources and then filtering, analyzing, and correlating that data to determine whether it warrants being flagged as a security alert.

As such, it’s best to adjust correlation rules and set thresholds according to what makes sense for each specific customer you work with. Remember that SIEM is designed to uncover connections between events that would otherwise go unnoticed, so use that to your advantage. Start with the preconfigured configuration rules that come with your SIEM solution and work your way backwards, disabling and enabling parameters according to what you do and don’t want correlated.

4. Collect security log data efficiently

Try to strike a happy medium between collecting enough data such that you get a comprehensive view of the network but aren’t overwhelmed by the sheer volume of information. SIEM isn’t a one-size-fits-all solution, but MSPs should always collect log data related to:

• Authorization successes and failed attempts
• Changes to user privileges
• Application errors and performance issues
• Opt-ins like terms and conditions
• All actions done by users with administrative privileges

It’s best to exclude log data pertaining to:

• Information that’s illegal to collect
• Banking information or credit card data
• Encryption keys
• Passwords
• Personally identifiable information (PII)

5. Have a plan after IT threat detection

Choosing the right SIEM solution and employing SIEM logging best practices is only half the battle. It’s critical that MSPs have an incident response plan in place to act on the security vulnerabilities uncovered by SIEM. Make sure you have designated roles for every technician during a security event, especially those responsible for communicating with customers and other relevant parties. Also, have a plan in place for recovering any lost sensitive data.

 

For more information on SIEM read through our related blog articles.