When it SIEMS like you’re doing it all wrong…

To make life easier for folks, I figured that consolidating all the checklist items from my latest AusCERT 2024 talk would be a good idea – now you can have your own printable list!

For those who have no idea what I’m talking about, WATCH THIS SPACE – when the talk is uploaded, I’ll be sure to link it here!

So, feel free to print out and mark off the items you’ve done…and use it to get things working well!

Architecting & Configuring

  • Know your ‘Why’
  • Decide if on-prem or cloud-based
  • Pick the location your SIEM is going to reside in
  • Use a SIEM that is designed to BE a SIEM
  • Pick a SIEM that you know will integrate with your other tools
  • Understand storage considerations (Hot vs. Cold)

Ingestion

  • Don’t collect into your SIEM simply for the sake of collecting it
  • Use filters where possible to remove noise from your ingestion
  • Avoid sending operational/performance data
  • Don’t duplicate the data – either within the SIEM or elsewhere
  • Don’t duplicate SIEM functionality – use as few tools as possible
  • Don’t have data caps, unless they are ridiculously high
  • Don’t have heavy limitations on collections – filter, yes; limit, no.
  • Ingest data from your Dev/Test/Staging environments
  • Ingest data from your legacy systems

Automation

  • Use where it make sense – you can’t automate everything!
  • Make sure you understand what you’re automating BEFORE automating
  • Understand the different types of automation available and their impact

Health & Monitoring

  • Regularly monitor the health of your SIEM system and all components related to it
  • Monitor and alert for potential insider threats within the SIEM itself
  • Monitor the cost of your SIEM – no one wants bill shock!

People & Process

  • Have enough people to do the work – and if you don’t, make the best use of the folks you DO have
  • Don’t push your Operational Security work onto your Operations staff – you need a SOC
  • Aim to fit your SIEM into your existing SOC process
  • Create (and test) your incident response plans
  • Measure the efficiency of your SOC/SIEM
  • Give access where it’s needed – don’t gatekeep
  • Train your staff – upskill them in the solutions they’ll be using
  • Look after the wellbeing of your people – including yourself!

Leave a Reply