After working in over 250 unique SIEM environments across many industries and platforms, I’m finding myself discussing with clients more and more about their current SIEM maturity. I couldn’t find a good example of this maturity, so I wanted to share this to help in future discussions. SIEM Platforms are highly complex but there are 5 key maturity levels that help businesses stay secure.
- Logging
- This may seem like an obvious first step, but many clients fail to collect key log sources that could mean the difference between catching an attacker or being completely blind to their activities. A great example of this is whether clients are collecting PowerShell logs from their windows hosts. According to a recent Sans Summit, about 80% of breaches involved some form of Cobalt Strike. Hunting Cobalt Strike without PowerShell logging is a losing battle. If your business isn’t logging PowerShell, you should start as soon as possible.
- This may seem like an obvious first step, but many clients fail to collect key log sources that could mean the difference between catching an attacker or being completely blind to their activities. A great example of this is whether clients are collecting PowerShell logs from their windows hosts. According to a recent Sans Summit, about 80% of breaches involved some form of Cobalt Strike. Hunting Cobalt Strike without PowerShell logging is a losing battle. If your business isn’t logging PowerShell, you should start as soon as possible.
- Rule-Based Alarming
- All SIEMs have some form of rules-based alarming. They are the basic rules for capturing activity that could be malicious. A non-administrator running programs that are not listed in your approved applications list, for example. This is considered the bare minimum for cybersecurity. Some legacy SIEMs use statistical anomaly detection in rule creation but they tend to be very limited in their time horizon capabilities and are very resource-intensive.
- All SIEMs have some form of rules-based alarming. They are the basic rules for capturing activity that could be malicious. A non-administrator running programs that are not listed in your approved applications list, for example. This is considered the bare minimum for cybersecurity. Some legacy SIEMs use statistical anomaly detection in rule creation but they tend to be very limited in their time horizon capabilities and are very resource-intensive.
- Threat Feeds
- Threat feeds help businesses monitor for known bad hashes, IPs, URLs, domains, and emails. These feeds help protect organizations from the most recent confirmed malicious activity. It’s useful to have these integrated into your SIEM to help catch attackers using these same indicators of compromise in your environment. Without properly curated threat feeds, organizations lose a lot of actionable threat intelligence that they otherwise would not have access to.
- Threat feeds help businesses monitor for known bad hashes, IPs, URLs, domains, and emails. These feeds help protect organizations from the most recent confirmed malicious activity. It’s useful to have these integrated into your SIEM to help catch attackers using these same indicators of compromise in your environment. Without properly curated threat feeds, organizations lose a lot of actionable threat intelligence that they otherwise would not have access to.
- Behavioral Alarming
- Monitoring for changes in behavior across the organization over an extended time horizon helps security teams catch anomalous behavior that may not have been caught in more basic or limited time duration rules. This is provided by NextGen SIEM platforms and some Extended detection and response platform (XDR) solutions. This is considered the new standard in SIEM monitoring.
- Monitoring for changes in behavior across the organization over an extended time horizon helps security teams catch anomalous behavior that may not have been caught in more basic or limited time duration rules. This is provided by NextGen SIEM platforms and some Extended detection and response platform (XDR) solutions. This is considered the new standard in SIEM monitoring.
- Threat Hunting
- Having highly skilled analysts reviewing SIEM logs for particular attack styles or odd behavior helps businesses develop new use cases that could potentially turn into new alarm rules. It also helps verify that the SIEM logging is healthy and that nothing is being missed in current alarms due to False Negatives. SIEM without active threat hunting leaves a lot of room for failure.
Cybersecurity teams that utilize all of the levels in the SIEM maturity hierarchy will provide the most effective defense for their organization. If you’d like assistance or guidance on how to implement these maturity levels across your SIEM, feel free to reach out to Black Tower Security for help.
