Modern SIEMs support many different business and technical use cases, including security, compliance, big data analytics, IT operations, and others. However, this does not mean that any SIEM solution will satisfy your unique business and technical needs. Not all SIEMs are built equally or optimally to support all use cases, so it’s important to begin your SIEM evaluation by defining your specific use cases or goals.
2. 2
03
04
07
10
14
17
20
21
22
23
26
27
Table of contents
This document is intended to include general information for individuals learning about security information and event management (SIEM). Use of names
of third party companies in the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity.
Executive summary
Step 1: Know your use cases first
Step 2: Identify all environments you’ll need to monitor
Step 3: SIEM alone does not equal threat detection
Step 4: Correlation rules are the engine of your SIEM
Step 5: Consider how to integrate threat intelligence
Step 6: Automate and orchestrate security operations
Summary
SIEM evaluation process stages
SIEM checklist: Questions for SIEM vendors
Go beyond SIEM capabilities
About AT&T Cybersecurity
3. 3
We’ve put together this evaluation guide to help you
find the best security information and event
management (SIEM) solution for your organization.
Whether your goals are to —
• detect threats
• achieve compliance
• fuel incident response
• or all of the above
— these 6 steps to SIEM success will help guide your
team through key considerations to prepare your SIEM
deployment and choose a solution that works for your
environment.
Executive summary
3
4. Know your use cases first
Step 1:
• Define the scope of your deployment
(which environments to monitor)
• Determine your priority data sources
(which assets to collect logs from)
Why are you considering SIEM in the first place?
Modern SIEMs support many different business and technical use cases, including security, compliance, big data
analytics, IT operations, and others. However, this does not mean that any SIEM solution will satisfy your unique
business and technical needs. Not all SIEMs are built equally or optimally to support all use cases, so it’s important to
begin your SIEM evaluation by defining your specific use cases or goals.
• Identify the high priority events and
alarms that you want to focus on
• Pinpoint your key success metrics
and milestones
Knowing your reasons for pursuing a SIEM deployment will help you:
4
5. For example, if your goal for deploying a SIEM solution
is to pass your next PCI DSS audit, then your scope
would be the environments in which credit cardholder
data is collected, processed, transmitted, or stored.
Your high priority data sources would include the
firewalls and other security controls that protect that
environment, as well as the server and application
logs that are involved with collecting and processing
credit cardholder data. Other data sources might be
interesting (e.g. from systems outside the scopr of the
PCI DSS audit) from an overall security standpoint, but
they aren’t essential and won’t help you achieve your
primary goal of PCI DSS compliance.
In this PCI DSS compliance example, you would likely
want to focus on the security events and alarms
that are in scopr of your PCI DSS environment. A key
success metric would include having the ability to
monitor these events over time and report on them as
needed in order to demonstrate to PCI assessors that
you’re continuously and fully monitoring your critical
enivronments.
Step 1
5
6. 6
• Who your privileged users are
(usernames)
• What constitutes privileged activity
(commands)
»» Logins = rlogins / ssh
»» User permission changes
(e.g. sudo or LDAP, etc.)
• Where you care to focus
(devices)
»» Critical servers, applications,
network devices, security devices, etc.
»» Endpoints? If so, whose?
If we take the business use case
privileged user monitoring example
even further, it requires knowing:
Step 1
Business use cases vs. technical use cases
Keep in mind there are key differences between
business use cases and technical use cases. A
business use case is often high level, strategic, and
provides rationale that can help you gain executive
approval and funding for your SIEM development. A
technical use case is often highly detailed and helps
you operationalize the SIEM in order to achieve your
business goals.
For example:
Business use case (few) - Monitor all privileged
user activity to satisfy PCI compliance requirements.
Technology use case (many) - Monitor and
set up an alert for all sudo events on Linux servers,
especially failed root logins, and prioritize those that
occur during specific time windows.
7. Identify all environments
you’ll need to monitor
Step 2:
7
What assets should you monitor?
Where do they reside?
After you’ve identified your key use cases for a SIEM, you’ll need to identify and monitor all the assets relevant for
achieving your business goals. This includes all network devices that process security-relevant information such as
routers, firewalls, web filters, domain controllers, application servers, databases, and other critical servers.
Your SIEM use cases may relate to passing your next compliance audit or protecting the company’s intellectual
property. So, you should consider all of the critical apps and data your business relies on to support customers and
keep business operations running. Which apps house data that might be the target of cyber criminals? Which apps
contain data that may impact your compliance status (e.g. credit cardholder data has implications for PCI DSS)?
8. Note: Apps like Office 365 and G Suite contain important
information about user activity and can often be “ground
zero” for phishing attacks and other threats. Find out from
your SIEM vendor if they can automate the collection and
analysis of log events from these enterprise SaaS apps.
Otherwise, you could miss the full picture on emerging risks.
• Physical IT infrastructure / networks
• Private clouds / virtualized IT (VMware®)
• Remote sites and retail outlets
• Public cloud accounts (AWS®, Azure)
• SaaS environments / cloud apps (Office 365,
G Suite™, and more)
When evaluating a SIEM, be sure
you consider how you will monitor
critical assets across all of your IT
environments:
Step 2
8
9. Step 2
9
Unify security monitoring across on-
premises and cloud environments
In the past, enterprises had most of their data housed
on systems in their own data center, with SIEM sensors
installed on each network to collect and consolidate all
of the event log data across the LAN or WAN. With the
evolution of cloud computing, those days are long gone.
The average global enterprise uses close to 1,000
cloud apps across all departments in their
organizations.
Chances are, the most important data for your
business is sitting on at least one or more cloud
environments. And so, as part of your overall effort
to monitor all threats against that data, and to
achieve and demonstrate compliant processes, you’ll
need to extend security monitoring to all of those
environments: from on-premises networks and data
centers to the cloud, whether IaaS / PaaS environments
like AWS® and Microsoft Azure®, or SaaS environments,
like G Suite and Office 365.
Find out from your SIEM vendor if they can collect,
consolidate, and analyze event log data for all of these
environments (IaaS, PaaS, and SaaS). Ask them how
they do it, and test them on this by including data from
all of your environments. If you’re ready to tackle the
key questions to ask during your SIEM evaluation, go
directly to our SIEM checklist: Questions for SIEM
vendors.
10. Complete security visibility requires a broad perspective-from a wide range of tools.
While a SIEM is great at collecting and correlating raw data, at the end of the day, you still need to tell the SIEM what
assets to monitor, what vulnerabilities those assets have, what type of traffic is coming in and out of your network,
and much more in order to detect and respond to a broad range of threats.
This means that your SIEM must play well with your other security controls in order to give you full visibility into
threats. What controls-at a minimum- are essential for feeding your SIEM?
SIEM alone does not
equal threat detection
Step 3:
10
11. Step 3
11
• Asset discovery and inventory – You need
to know which assets are impacted by a
particular threat, especially if those assets are
in scope of compliance
• Vulnerability assessment – Finding and
addressing vulnerabilities before they’re
exploited gives you enhanced protection
• Host-based intrusion detection (HIDS)
– Advance notice of suspicious activity on
servers increases your ability to stop threats
in their tracks
• Network-based intrustion detection (NIDS)
– advance notice of suspicious network activity
increases your ability to thwart attackers, and
may provide information about an attackers
techniques
• File integrity monitoring (FIM) – Malware
often targets critical system files, so monitoring
these is essential
Here are a few recommended security controls, and why they’re essential:
12. 12
Step 3
12
Where and how do you find these data
sources?
If you haven’t yet invested in these essential
security controls, you may find great value in SIEM
platforms that include built-in security assessment
and monitoring controls as a standard part of their
functionality. Multi-functional SIEM platforms produce
a number of key benefits:
Time to value
When you choose a SIEM solution that is already
integrated with other security controls, you
significantly reduce the time and effort required to
procure, deploy, integrate, and configure multiple point
security tools. Instead, you can deploy quickly and
realize a faster time to value. Security-focused SIEM
solutions often include pre-built correlation rules to
detect malware and more, so you can start detecting
threats sooner.
Cost Savings
A unified SIEM helps to generate upfront and ongoing
cost savings. Instead of having to deploy, monitor, and
maintain multiple point security and compliance tools,
a unified solution can provide a single pane of glass
for complete security monitoring and compliance
management. This approach enables resource-
constrained IT security teams to achieve a strong
security posture with fewer resources.
Accuracy and precision
Because detection is better coordinated among the
built-in security controls, alarms are more accurate
and correlation rules more finely tuned than they
would be for external or unkown data sources.
13. 13
Step 3
13
If you do already have some
of these core technologies in
place, then you’ll want to clearly
understand what it will take
(how much time, money, and
effort) to integrate them with
your SIEM and maintain that
integration as things change.
Be sure to ask your SIEM vendor
how they approach integration
with other tools, and how long
this part of the deployment is
expected to take.
14. Correlation rules find the signal in the noise.
The secret sauce in any SIEM is what is known as “event correlation,” which filters through raw event log data to find
activity that signals something bad is happening now or recently happened. Event correlation rules are based on an
understanding of how attacks unfold, so you’re notified whenever specific event data consistent with an attack show
up in your environment. Without correlation rules, your SIEM can’t deliver a single alarm.
Correlation rules are
the engine of your SIEM
Step 4:
14
• WHO the bad actors are
• WHAT events to focus on
• HOW to respond when threats are detected
In order to find threats and know what do about them, you’ll need to know:
• WHERE these threats are in your environment
• WHY these are the biggest threats
15. Who writes correlation rules?
Writing, testing, implementing, and updating event correlation rules is a full-time job, requiring years of expertise
and intelligence. Because security-relevant events and their characteristics are constantly changing (as is the threat
landscape), correlation rules must be constantly developed and refined to detect and respond to emerging threats
quickly and effectively. Be sure you have a clear understanding of how your SIEM vendor updates correlation rules, or
be sure your internal team is capable of taking this on.
Step 4
15
If you must write and update your own correlation rules, you’ll need to think through the
following for each threat you want to detect:
What would be some event types, and their sequences, that might indicate this scenario?
For example: Someone tries unsuccessfully to log onto the domain controller using the admin account,
and then there’s an unscheduled reboot of the same system.
• Include 1-2 of these in your SIEM test cases and POCs.
Which devices would be in scope for catching a scenario of this type?
• Make sure you add these devices as data sources first.
• Pro-tip: Remember the “pre-step” is to find them. That’s why automated asset discovery is a must-have
for SIEMs..
16. What is your incident response strategy for when these scenarios happen?
• Develop standard operation procedures (SOPs) and train staff. Make sure your SIEM supports built-
documentation for your SOPs.
• Do SIEM alerts include customized guidance, and click-through detail on assets, their owners, contact
info, etc.?
Step 4
16
Be wary of any SIEM vendor who cannot show you their event
correlation rules, or explain their methodology for identifying,
correlating, and categorizing events and event sequences. In fact,
their lack of transparency may be hiding the fact that they don’t
know what to look for, and are expecting your team to write, test,
and implement event correlation rules. And no one has time for that.
17. Threat intelligence provides valuable
context to SIEM.
As threats continue to evolve over time, your SIEM will
need to be updated to recognize these new threats.
Most IT security teams don’t have the time or resources
to research emerging threats on a daily basis, let alone
develop new rules to detect when they show up in your
environment. That’s where integrated threat intelligence
plays a huge role
What should “actionable” threat
intelligence include?
Unfortunately, there is a bit of confusion surrounding
how to define threat intelligence. Some vendors would
have you believe that raw indicators of compromise
(IoCs) (e.g. file hashes or IP addresses) constitute threat
intelligence.
These artifacts are singular pieces of evidence and lack
the full context needed to be considered actionable or
ready-to-use threat intelligence.
A good rule of thumb is: can I act now on this
information? If the answer is yes, you have actionable,
fully operationalized threat intelligence. Threat
intelligence should contain all of the characteristics of a
threat, as well as other analysis to help IT teams defend
themselves from that threat.
Threat intelligence should contain all of the
characteristics of a threat, as well as other analysis to
help IT teams defend themselves from that threat.
Consider how to integrate
threat intelligence
Step 5:
17
18. Step 5
18
For example, this includes:
• A summary of the threat
(e.g. impact, severity, etc.)
• Specific software targeted
(e.g. OS, apps, etc.)
• Actions or access needed to exploit the threat
(e.g. command line access)
• Types of network protocols exploited
(e.g. ICMP, SMB, etc.)
• Indicators of compromise (which may include: IP
addresses, URLs, domain names, file hashes and
other artifacts)
• Remediation recommendations (if available,
along with links to patches and other fixes)
19. Step 5
19
If your SIEM vendor lacks a dedicated security research team and doesn’t offer
natively integrated threat intelligence, ask them:
• How are new threats detected?
• Whose responsibility is it to keep the SIEM updated?
• How is integration with a threat intelligence provider accomplished?
• Will that add costs to my SIEM deployment?
20. You’ve detected an active threat.
What happens next?
Automation is essential for SIEM success in real-world
operational environments. If you can’t quickly act on the
alerts and insights you’re getting from your SIEM, then
despite your best efforts, having that information adds
little value.
Admittedly, the entire security monitoring process can’t
be automated. That said, there are still opportunities
for automation and security orchestration to accelerate
response and streamline the incident response process.
Your SIEM platform may be able to orchestrate security
“playbooks” on your security devices such as Cisco
Umbrella™, or Palo Alto Networks® Next-Generation
Firewall. These playbooks consist of things like having a
SIEM alert trigger an automated rulebase change for a
specific IP block on a Palo Alto firewall.
Ask your SIEM vendor if they can extend their platform
for consolidated threat detection and security
orchestration and automation. Find out which third-
party apps and IaaS environments they support.
Additionally, find out if their alerts provide expert
guidance on how to interpret the threat and how to
respond to it.
Remember, speed is an essential ingredient in terms of
containing the damage of a cyberattack and restoring
your assets and operations. And because users
access corporate data via all types of SaaS apps and
environments, you’ll need to make sure you can scale
and extend your SIEM platform to bring in all of these
rich data sources.
Automate and orchestrate
security operations
Step 6:
20
21. 21
Expect more from your SIEM. It should
go everywhere your data does.
• Key need: “I want to utilize the cloud, but I don’t
want to sacrifice my security visibility.”
• Key feature: Security monitoring for public clouds,
private clouds, cloud-based apps, etc.
It should tell you what to do now, and why:
• Key need: “Real-time alerts and alarms are great,
but if I don’t know what do with them, they just
become more noise.”
• Key feature: Receive alerts prioritized by threat
severity, automate and orchestrate security
defenses, receive expert guidance on actions to
take, as well as the latest intelligence on emerging
threats and how to mitigate them.
It shouldn’t require more work.
• Key need: “I need to pass an audit now, I can’t
afford a months-long deployment or complicated
manual integration projects.
• Key feature: Essential security capabilities that
are already built-in, along with out-of-the-box
compliance reports and extensible integrations
with dozens of security vendors to deliver security
automation and orchestration.
Process Makes Perfect.
In the next section, we’ll outline the key steps of your
SIEM evaluation process. After all, when you’re making
an investment decision that can affect your overall
security and compliance posture, it’s important to have
a well-documented and disciplined process and keep
all stakeholders informed on your progress.
Summary
22. 22
SIEM evaluation process stages
Phase 1: Initial review
Key activities: Determine
the set of vendors you’ll
review and evaluate, based
on the criteria we’ve included
in this guide along with your
business goals.
Pro-tip: Choose at least 2-3
vendors that you will spend
time “kicking the tires” during
a proof of concept (POC). Not
all vendors will qualify for an
investment of your team’s
time and attention during an
in-depth technical evaluation.
Phase 2: Try it in your
own environment
Key activities: Develop
key evaluation criteria, run
through test cases to see
to it that the SIEM works as
expected and addresses key
technical requirements and
satisfies business goals.
Pro-tip: Look for vendors
that offer a free trial so you
can actually go through the
deployment process before
purchase. Design test cases
that are as close to your
real-world priority needs as
possible. Find out how easy
it is to go from installation to
insight with the SIEM.
Phase 3: Final vendor
selection
Key activities: Gather and
analyze all results from
evaluation assessments and
team feedback to determine
the right SIEM vendor for
you. Also evaluate subjective
criteria such as rapport with
the vendor team, support
hours, and policy.
Pro-tip: Include all key
stakeholders in this process
and document key reasons
for selecting the chosen
vendor. This may come in
handy at renewal time.
23. 23
Questions for SIEM vendors
SIEM checklist:
What can I do if I don’t have all the external security technologies in place that can
feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, etc.)?
• Ask during the initial review phase: Any SIEM vendor who assumes you have these tools already
in place likely doesn’t have the breadth of functionality you’ll need for fast answers. Eliminate from
consideration; it’s not worth your time.
• Why is this important? It takes a lot of time, staff, and resources to purchase, install, and configure the
essential security controls to feed your SIEM. You can accelerate this with a SIEM platform that includes
these capabilities.
What is the anticipated mix of licensing costs to consulting and implementing fees?
• Ask during the initial review phase: Find out what the ratio is. If implementation costs 30-50% of the
overall cost of the investment, walk away. Fast.
• Why is this important? This question gets to the heart of how challenging the deployment process will
be. It will also expose if their claims of “out-of-the-box” functionality are truly solid.
24. How many staff members or outside consultants will I need for responding to SIEM
alerts and managing the system overall?
• Ask during the initial review phase: The answer to this could inform whether or not you’ll need to
outsource SIEM management to an MSSP, or explore some degree of MSSP support.
• Why is this important? If your team can’t realistically respond to alerts in a timely fashion, it may be time
to consider an MSSP to manage your SIEM platform.
How long will it take to go from software install to security insight?
• During the trial/proof of concept (POC) phase: Ask them, and then make them prove it. Document how
long it takes to install the software, detect data sources (is it automated?), pull and analyze log data from
at least three data sources, and start issuing alerts and running reports.
• Why is this important? Speed of detection is the number one success factor for preventing a data
breach.
How many staff members or outside consultants will I need for the integration work?
• During the trial / POC phase: Include at least 1-2 external data sources to pull data from. Document how
many people it takes for the work, and how long it takes (and multiply that by all the other sources you’ll
need).
• Why is this important? Fast integration with your entire ecosystem is a critical factor in providing for a
complete security picture.
24
25. Bottom line: After thorough evaluation, your final SIEM selection
decision will likely be based on a combination of objective and
subjective criteria such as perceived value, trust and credibility in
the vendor, as well as how easy it is to get started and manage
over time. Good luck and good threat hunting!
Do alerts and alarms provide step-by-step instructions for how to mitigate and
respond to investigations?
• During the trial/POC phase: Recreate an event that you would expect would trigger an alert, and
evaluate how much info is provided to fix the issue.
• Why is this important? Cryptic alerts that leave no indication of what to do slow down incident response
and increase risk.
25
26. 26
Features AlienVault USM Traditional SIEM
Management
Log management
Event management
Event correlation
Reporting
Security monitoring technologies
Asset discovery Built-in $$ (3rd-party product that requires integration)
Network IDS Built-in $$ (3rd-party product that requires integration)
Host IDS Built-in $$ (3rd-party product that requires integration)
File integrity monitoring Built-in $$ (3rd-party product that requires integration)
Cloud monitoring Built-in $$ (3rd-party product that requires integration)
Incident response Built-in $$ (3rd-party product that requires integration)
Endpoint detection and response Built-in $$ (3rd-party product that requires integration)
Vulnerability assessment Built-in $$ (3rd-party product that requires integration)
Additional capabilities
Continuous threat intelligence Built-in $$ (3rd-party product that requires integration)
Unified management console for security
monitoring technologies
Built-in $$ (3rd-party product that requires integration)
Go beyond SIEM capabilities
AlienVault® Unified Security Management® (USM) by AT&T Cybersecurity delivers powerful threat detection,
incident response, and compliance management in one unified platform. It combines all the essential security
capabilities needed for effective security monitoring across your cloud and on-premises environments, including
continuous threat intelligence updates.
This document is intended to include general information for individuals learning about security information and event management (SIEM). Use of names
of third party companies in the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity.