Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Security SIEM Logging Best Practices
Security

SIEM Logging Best Practices

By SolarWinds MSP
2 March, 2020

As the cybersecurity threat landscape becomes increasingly sophisticated, managed services providers (MSPs) should take extra precautions to protect their customers’ networks. A security information and event management (SIEM) system is an excellent choice for MSPs because it helps mitigates cybersecurity threats from two different angles, all from a single interface. SIEM collects information from multiple data sources—network data, threat intelligence feeds, compliance regulations, firewalls, etc.—and uses that data to power capabilities designed to help IT admins respond to threat events in real time. 

In contrast to singular security control systems like asset management or network intrusion detection, SIEM allows you to dig deeper into security vulnerabilities by unifying information from disparate systems and offering unparalleled visibility into events that occur in your system. SIEM is not a threat detection system in and of itself, but it enhances the security tools you already use by providing real-time insights to build upon. If you put high-quality log data into an SIEM tool, you’ll receive high-quality security insights about your network. These insights can help make your network security protocols stronger and more precise. 

Unfortunately, many IT administrators treat SIEM implementation like a “set it and forget it” solution. To experience the full benefits of security information and event management, MSPs should adopt a set of best practices to optimize said solution, beginning with security logging. 

What are SIEM logs? 

How does security logging fit into SIEM implementation best practices? If you break SIEM down to its core components, it’s a log management system. All the information a SIEM tool gathers comes in the form of logs, or records of events that occur within an organization’s IT infrastructure and network.

Examples of logs collected by SIEM include, but aren’t limited to:

  • Firewalls
  • Routers and switches
  • Wireless access points
  • Vulnerability reports
  • Partner information
  • Antivirus and antimalware 

However, since SIEM tools are large in scope and constantly collect log data from everywhere in your system, they can be a little complicated and unwieldy to implement. SIEM best practices help MSPs avoid common pain points down the line by helping them use SIEM as effectively as possible from the get-go.  

SIEM logging best practices

CTA Image

SolarWinds Remote Monitoring and Management

Get the tools you need to manage, secure, and improve all things IT—all within a single web-based dashboard.

Try It Free Learn More

1. Start slow

The most common mistake MSPs make regarding SIEM implementation is trying to do too much too soon. Before you even start searching for a SIEM solution, it’s best to define the scope of your SIEM deployment and think about what you want SIEM to do for you and your customers. 

Start by isolating objectives, taking stock of existing security protocols, and brainstorming how these protocols will fit in with your prospective SIEM implementation. You can also segment everything you want to monitor into groups and define how you want to monitor them—this can help ensure you have a bit of a game plan heading into logging. 

Once you’ve done your homework, don’t deploy a SIEM system across your customer's entire IT infrastructure just yet—do it piecemeal. Test out your SIEM solution on a small section of the system to see how well it works, demonstrate potential return on investment, and identify key security vulnerabilities that should be addressed right away. Easing into SIEM rather than jumping in will help ensure that logging works for you, not against you.

2. Think about compliance requirements 

SIEM logging can help your business demonstrate compliance with security regulations and audits, but only if you know what those standards are ahead of time. Before you commit to a SIEM system, create a list of the HIPAA, GDPR, HITECH, and any other IT regulations you have to comply with. Then use that list to compare required regulations to the solutions you’re considering. 

Not only will that narrow down your list of contenders, it will force you to consider the amount of log data you need. Keeping the amount you need to keep in order to remain compliant will also inform logging and monitoring best practices.

3. Adjust correlation rules

SIEM correlation optimizes SIEM implementation for MSPs by allowing them to configure SIEM to the unique needs of their clients. SIEM works by collecting data from multiple sources and then filtering, analyzing, and correlating that data to determine whether it warrants being flagged as a security alert. 

As such, it’s best to adjust correlation rules and set thresholds according to what makes sense for each specific customer you work with. Remember that SIEM is designed to uncover connections between events that would otherwise go unnoticed, so use that to your advantage. Start with the preconfigured configuration rules that come with your SIEM solution and work your way backwards, disabling and enabling parameters according to what you do and don’t want correlated.

4. Collect security log data efficiently 

Try to strike a happy medium between collecting enough data such that you get a comprehensive view of the network but aren’t overwhelmed by the sheer volume of information. SIEM isn’t a one-size-fits-all solution, but MSPs should always collect log data related to: 

  • Authorization successes and failed attempts
  • Changes to user privileges
  • Application errors and performance issues
  • Opt-ins like terms and conditions
  • All actions done by users with administrative privileges

It’s best to exclude log data pertaining to:

  • Information that’s illegal to collect 
  • Banking information or credit card data
  • Encryption keys
  • Passwords
  • Personally identifiable information (PII)

5. Have a plan after IT threat detection

Choosing the right SIEM solution and employing SIEM logging best practices is only half the battle. It’s critical that MSPs have an incident response plan in place to act on the security vulnerabilities uncovered by SIEM. Make sure you have designated roles for every technician during a security event, especially those responsible for communicating with customers and other relevant parties. Also, have a plan in place for recovering any lost sensitive data.

 

For more information on SIEM read through our related blog articles.

 

Additional reading

Partnering—The Way to Win with SIEM and SOC Without Breaking the Bank
Best Practices SIEM: Educational Series Part 1
SIEM Open Source Overview
You might also like...
Security

January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be

Security

December 2020 Patch Tuesday—A quiet(er) finish to a busy year in vulnerabilities

Security

Documentation Management API and Why It’s Important for the MSP Business

Security

What Is FIPS-140-2 Standard and When Is It Required?

Security

Malware-as-a-Service: A Crucial Reason Why Security Has Grown More Complex

Security

National Computer Security Day—It’s Not Just About the Computer Anymore

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
  • TAP Blog Series: Maximizing Your Service Delivery Opportunity
  • Why Do MSPs Choose SolarWinds Backup? IT Central Station Finds Out
  • Seven Features Remote Assistance Software Should Have
  • TAP Blog Series: Creating Your Automation Strategy—Three Key Components You Must Have in Place
Categories:
  • Security (229)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (82)
  • Business Growth (75)
  • The Head Nerds (74)
  • IT Support (41)
  • Business (39)
  • Cybersecurity (37)
  • Automation (36)
  • Operations (33)
  • Mail (33)
  • Remote Management (27)
  • ITSM (25)
  • Cloud Computing (21)
  • Networking (21)
  • Data (21)
  • Marketing (14)
  • Product (11)
  • PSA (10)
  • Mobile (4)
  • Risk Intelligence (4)
  • Service Desk (4)
  • Services & Support (4)
  • Internet of Things (3)
  • Customer Service (3)
  • Research & Trends (2)
  • Training (2)
  • GDPR (2)
  • Business Risk (1)
  • LOGICcards (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.