1. Start slow
The most common mistake MSPs make regarding SIEM implementation is trying to do too much too soon. Before you even start searching for a SIEM solution, it’s best to define the scope of your SIEM deployment and think about what you want SIEM to do for you and your customers.
Start by isolating objectives, taking stock of existing security protocols, and brainstorming how these protocols will fit in with your prospective SIEM implementation. You can also segment everything you want to monitor into groups and define how you want to monitor them—this can help ensure you have a bit of a game plan heading into logging.
Once you’ve done your homework, don’t deploy a SIEM system across your customer's entire IT infrastructure just yet—do it piecemeal. Test out your SIEM solution on a small section of the system to see how well it works, demonstrate potential return on investment, and identify key security vulnerabilities that should be addressed right away. Easing into SIEM rather than jumping in will help ensure that logging works for you, not against you.
2. Think about compliance requirements
SIEM logging can help your business demonstrate compliance with security regulations and audits, but only if you know what those standards are ahead of time. Before you commit to a SIEM system, create a list of the HIPAA, GDPR, HITECH, and any other IT regulations you have to comply with. Then use that list to compare required regulations to the solutions you’re considering.
Not only will that narrow down your list of contenders, it will force you to consider the amount of log data you need. Keeping the amount you need to keep in order to remain compliant will also inform logging and monitoring best practices.
3. Adjust correlation rules
SIEM correlation optimizes SIEM implementation for MSPs by allowing them to configure SIEM to the unique needs of their clients. SIEM works by collecting data from multiple sources and then filtering, analyzing, and correlating that data to determine whether it warrants being flagged as a security alert.
As such, it’s best to adjust correlation rules and set thresholds according to what makes sense for each specific customer you work with. Remember that SIEM is designed to uncover connections between events that would otherwise go unnoticed, so use that to your advantage. Start with the preconfigured configuration rules that come with your SIEM solution and work your way backwards, disabling and enabling parameters according to what you do and don’t want correlated.
4. Collect security log data efficiently
Try to strike a happy medium between collecting enough data such that you get a comprehensive view of the network but aren’t overwhelmed by the sheer volume of information. SIEM isn’t a one-size-fits-all solution, but MSPs should always collect log data related to:
- Authorization successes and failed attempts
- Changes to user privileges
- Application errors and performance issues
- Opt-ins like terms and conditions
- All actions done by users with administrative privileges
It’s best to exclude log data pertaining to:
- Information that’s illegal to collect
- Banking information or credit card data
- Encryption keys
- Passwords
- Personally identifiable information (PII)
5. Have a plan after IT threat detection
Choosing the right SIEM solution and employing SIEM logging best practices is only half the battle. It’s critical that MSPs have an incident response plan in place to act on the security vulnerabilities uncovered by SIEM. Make sure you have designated roles for every technician during a security event, especially those responsible for communicating with customers and other relevant parties. Also, have a plan in place for recovering any lost sensitive data.
For more information on SIEM read through our related blog articles.