As threats become more creative, our means to discover them needs to be more creative as well.  Everyone that is operating a large enterprise is struggling to implement a Security Information and Event Management System (SIEM).  More generally, we are trying to create an environment that can help discover suspect events and minimize risk to businesses.  How do we create an environment where we can be creative and effective?  Having worked in this area for more than 10 years, here are some of the basic principles that I find to be effective.

1. Learn by doing

    • Prioritize the types of things that are most important to you.
    • Implement something that you think might work.
    • Tune the solution to balance false-positive with false-negative event detection.
    • Iterate by evaluating what worked and how even a good solution can be made better.

2. Adapt Rapidly to Threats

Flexibility and adaptability are important attributes of any security analysis platform.  Network systems and operations are engineered with a focus on reliability.  Engineer a security analysis environment that has some autonomy from the constraints of network reliability requirements.  This allows processes to be adapted to satisfy the adaptability needs of the analysis systems, while balancing that with the reliability needs.

3. Think Behavior Analysis rather than Signatures

A SIEM platform should be thought of as a platform to perform analysis on many contributing behaviors and activities that may be indicative of a security threat.  Sophisticated threats such as APT generally conduct a series of allowed events that point to an undesired result.  No one event will be the conclusive indicator; search for numerous indicators that are potential  contributing elements.  Things like frequency analysis, volumetric analysis, diurnal patterns, baseline references should be the foundation of the analytical solution.

4. Create structure but not boundaries

Establish an organizational structure and the resources around the security operations activity. Here is an example structure that can help create an environment that organizes:

  • Actionable Events (Tier 1 – Responder)
  • Investigation (Tier 2 – Coordinators)
  • Non-actionable & RCA (Tier 3 – Investigators/Analysts)
  • Evolution & Revolution (Tier 4 – Research and Development)
  • Vendors & Community (Tier 5 – Tools Providers)

5. Engineer for the solution

  • Use best-in-class commercial tools, but don’t settle for stand-alone or non-scalable solutions
  • Partner with organizations that can overcome the constraints

6. Reduce noise

  • Prioritize on improvements where the most effort is spent
  • Aggregate related records
  • Suppress Repeats of Like Alerts
  • White-list acceptable behaviors, but don’t loose the info.
  • Perform staged processing; refrain from tiered alerting.

7. Compel Improvement

  • Capital investment vs expense
    • Reward Successes
    • Reach outside
    • Research, Development & Analyst working groups
So what do you think?  How many of these principles are you implementing?  Are there others you feel should be included?  We look forward to your ideas and thoughts on this important topic.