SIX STEPS TO SIEM SUCCESS

THE ESSENTIAL EVALUATOR’S GUIDE

www.alienvault.com
Executive Summary
Whether you are looking at SIEM for threat management or compliance,
we’ve put together the following evaluation guide to help you find the
best SIEM solution for your organization. Whether your goals are to:
• Detect Threats
• Achieve Compliance
• Fuel Incident Response
• (or all of the above),
these six steps to SIEM success will guide your team through key
considerations to prepare for your SIEM deployment and choose a
solution that will work for your environment.
1: Know Your Use Cases First

WHY are you considering SIEM in the first place?

Modern SIEMs support many different business and technical use cases, including security, compliance,
big data analytics, IT operations, and others. However, this does not mean that any SIEM solution will satisfy
your unique business and technical needs. Not all SIEMs are built equally or optimally to support all use
cases, so it’s important to begin your SIEM evaluation by defining your specific use cases or goals.

Knowing your reasons for pursuing a SIEM deployment will help you to:

• Define the scope of your deployment (which environments to monitor)

• Determine your priority data sources (which assets to collect logs from)
• Identify the high priority events and alarms that you want to focus on
• Pinpoint your key success metrics and milestones
For example, if your goal for deploying a SIEM solution is to pass your next PCI DSS audit, then your scope
would be the environments in which credit cardholder data is collected, processed, transmitted, or stored.
Your high priority data sources would include the firewalls and other security controls that protect that
environment, as well as the server and application logs that are involved with collecting and processing
credit cardholder data. Other data sources might be interesting (e.g. from systems outside the scope of the
PCI DSS audit) from an overall security standpoint, but they aren’t essential and won’t help you achieve your
primary goal (PCI DSS compliance).

In this PCI DSS compliance example, you would likely want to focus on the security events and alarms that
are in scope of your PCI DSS environment. A key success metric would include having the ability to monitor
these events over time and report on them as needed in order to demonstrate to PCI assessors that you’re
continuously and fully monitoring your critical environments.
1: Know Your Use Cases First
Business Use Cases vs. Technical Use Cases
Keep in mind that there are key differences between business use cases and technical use cases. A
business use case is often high level, strategic, and provides rationale that can help you to secure executive
approval and funding for your SIEM deployment. A technical use case is often highly detailed and helps you
to operationalize the SIEM in order to achieve your business goals.

For example:

• Business use case (few) - Monitor all privileged user activity to satisfy PCI compliance requirements
• Technology use case (many) - Monitor and set up an alert for all sudo events on Linux servers, especially
failed root logins, and prioritize those that occur during specific time windows
If we take the privileged user monitoring example even further, it requires knowing:

• Who your privileged users are (usernames)

• What constitutes privileged activity (commands)
• Logins = rlogins / ssh
• User permission changes (e.g. sudo or LDAP, etc.)
• Where you care to focus (devices)
• Critical servers, applications, network devices, security devices, etc.
• Endpoints? Whose?
2. Identify ALL the Environments
You’ll Need to Monitor
What assets do I need to monitor? Where do they reside?
After you’ve identified your key use cases for a SIEM, you’ll need to identify and monitor all the assets that
are relevant for achieving your business goals. This includes all network devices that process security-
relevant information such as routers, firewalls, web filters, domain controllers, application servers, databases,
and other critical servers.

Your SIEM use cases may relate to passing your next compliance audit or protecting the company’s
intellectual property. So, you should consider all of the critical apps and data your business relies on to
support customers and keep business operations running. Which apps house data that might be the target
of cyber criminals? Which apps contain data that may impact your compliance status (e.g. credit cardholder
data has implications for PCI DSS)?

When evaluating a SIEM, be sure you consider how you will monitor critical assets across all of your IT
environments:
• Physical IT infrastructure / networks
• Private clouds / virtualized IT (VMware)
• Remote sites and retail outlets
• Public cloud accounts (AWS, Azure)
• SaaS environments / cloud apps (Office 365, G Suite, and more)
Note: Apps like Office 365 and G Suite contain important information about user activity and can often be
“ground zero” for phishing attacks and other threats. Find out from your SIEM vendor if they can automate
the collection and analysis of log events from these enterprise SaaS apps. Otherwise, you could be missing
the full picture on emerging risks.
2. Identify ALL the Environments
You’ll Need to Monitor
Unify security monitoring across on-premises and cloud environments
In the past, enterprises had most of their data housed on systems in their own data center, with SIEM
sensors installed on each network to collect and consolidate all of the event log data across the LAN or
WAN. With the evolution of cloud computing, those days are long gone.

Today, the average global enterprise uses close to 1,000 cloud apps* across all departments in their
organizations.

Chances are, the most important data for your business is sitting on at least one or more cloud
environments. And so, as part of your overall effort to monitor all threats against that data, and to
achieve and demonstrate compliant processes, you’ll need to extend security monitoring to all of
those environments - from on-premises networks and data centers to the cloud, whether IaaS / PaaS
environments like AWS and Microsoft Azure, or SaaS environments, like G Suite and Office 365.

Find out from your SIEM vendor if they can collect, consolidate, and analyze event log data for all of these
environments (IaaS, PaaS, and SaaS). Ask them how they do it, and test them on this by including data from
all of your environments. If you’re ready to tackle the key questions to ask during your SIEM evaluation,
jump here to go directly to our SIEM Checklist: Questions for SIEM vendors.

*Source: http://chiefmartec.com/2017/06/average-enterprise-uses-91-marketing-cloud-services/
3. SIEM Alone Does Not Equal
Threat Detection
Complete security visibility requires a broad perspective – from a wide range of tools.
While a SIEM is great at collecting and correlating raw data, at the end of the day, you still need to tell the
SIEM what assets to monitor, what vulnerabilities those assets have, what type of traffic is coming in and out
of your network, and much more in order to detect and respond to a broad range of threats.
This means that your SIEM must play well with your other security controls in order to give you full visibility
into threats. What controls – at a minimum – are essential for feeding your SIEM?

Here are a few recommended security controls (and why they’re essential):

• Asset Discovery and Inventory – you need to know which assets are impacted by a particular threat,
especially if those assets are in scope of compliance
• Vulnerability Assessment – finding and addressing vulnerabilities before they’re exploited gives you
enhanced protection
• Host-based Intrusion Detection (HIDS) – advanced notice of suspicious activity on servers increases your
ability to stop threats in their tracks
• Network-based Intrusion Detection (NIDS) - advanced notice of suspicious network activity increases
your ability to thwart attackers, and it offers more information about an attacker’s techniques
• File Integrity Monitoring (FIM) – malware often targets critical system files, so monitoring these is
essential
3. SIEM Alone Does Not Equal
Threat Detection
Where and how do I find these data sources?
If you haven’t yet invested in these essential security controls, you may find great value in SIEM platforms
that include built-in security assessment and monitoring controls as a standard part of their functionality.
Multi-functional SIEM platforms produce a number of key benefits:

TIME TO VALUE
When you choose a SIEM solution that is already integrated with other essential security controls, you
significantly reduce the time and effort required to procure, deploy, integrate, and configure multiple point
security tools. Instead, you can deploy quickly and realize a faster time to value. Security-focused SIEM
solutions often include pre-built correlation rules to detect malware and more, so you can start to detect
threats on Day One.

COST SAVINGS
A unified SIEM generates upfront and ongoing cost savings. Instead of having to deploy, monitor, and
maintain multiple point security and compliance tools, a unified solution can provide a single pane of
glass for complete security monitoring and compliance management. This approach enables resource-
constrained IT security teams to achieve a strong security posture with fewer resources.

ACCURACY / PRECISION
Because detection is better coordinated among the built-in security controls, alarms are more accurate and
correlation rules more finely tuned than they would be for external / unknown data sources.

If you do already have some of these core technologies in place, then you’ll want to clearly understand what
it will take (how much time, money and effort) to integrate them with your SIEM and maintain that integration
as things change. Be sure to ask your SIEM vendor how they approach integration with other tools, and how
long this part of the deployment is expected to take.
4. Correlation Rules are the Engine
of Your SIEM
Correlation rules find the signal in the noise.
The secret sauce in any SIEM is what is known as “event correlation,” which filters through raw event log
data to find activity that signals something bad is happening now (or recently happened). Event correlation
rules are based on an understanding of how attacks unfold, so you’re notified whenever specific event data
consistent with an attack show up in your environment. Without correlation rules, your SIEM can’t deliver a
single alarm.

Keep in mind that in order to find threats and know what to do about them, you’ll need to know:

WHO the bad actors are

WHAT events to focus on

HOW to respond when threats are detected

WHERE these threats are in your environment

WHY these are the biggest threats

Who writes correlation rules?

Writing, testing, implementing, and updating event correlation rules is a full-time job, requiring years of
expertise and intelligence. Because security-relevant events and their characteristics are constantly
changing (as is the threat landscape), correlation rules must be constantly developed and refined to detect
and respond to emerging threats quickly and effectively. Be sure you have a clear understanding of how
your SIEM vendor updates correlation rules, or be sure your internal team is capable of taking this on.
4. Correlation Rules are the Engine
of Your SIEM

If you must write and update your own correlation rules, you’ll need to think through the following for each
threat you want to detect:

What would be some event types, and their sequences that might indicate this scenario?
Example – Someone tries unsuccessfully to log onto the domain controller using the Admin account, and
then there’s an unscheduled reboot of the same system.
→→ Include 1-2 of these in your SIEM test cases and POCs.
Which devices would be in scope for catching a scenario of this type?
→→ Make sure you add these devices as data sources first.
→→ Pro-tip: Remember… the “pre-step” is to find them - that’s why automated asset discovery is a must-have
for SIEMs.
What is our incident response strategy for when these scenarios happen?
→→ Develop Standard Operation Procedures (SOPs) and train staff. Make sure your SIEM supports built-in
documentation for your SOPs.
→→ Do SIEM alerts include customized guidance, and click-through detail on assets, their owners, contact
info, etc.?
Be wary of any SIEM vendor who cannot show you their event correlation rules, or explain their
methodology for identifying, correlating and categorizing events and event sequences. In fact, their lack of
transparency may be hiding the fact that they don’t know what to look for, and are expecting your team to
write, test and implement event correlation rules. And no one has any time for that.
5. Consider How to Integrate
Threat Intelligence.

Threat Intelligence provides valuable context to SIEM.

As threats continue to evolve over time, your SIEM will need to be updated to recognize these
new threats. Most IT security teams don’t have the time or resources to research emerging
threats on a daily basis, let alone develop new rules to detect when they show up in your
environment. That’s where integrated threat intelligence plays a huge role.

What should “actionable” Threat Intelligence include?

Unfortunately, there is a bit of confusion surrounding how to define threat intelligence. Some
vendors would have you believe that raw Indicators of Compromise (IoCs) (e.g. file hashes or
IP addresses) constitute threat intelligence. These artifacts are singular pieces of evidence and
lack the full context needed to be considered actionable or ready-to-use threat intelligence.
A good rule of thumb is: can I act now on this information? If the answer is yes, you have
actionable, fully operationalized threat intelligence. Threat intelligence should contain all of the
characteristics of a threat, as well as other analysis to help IT teams defend themselves from
that threat.
5. Consider How to Integrate
Threat Intelligence.

Threat intelligence should contain all of the characteristics of a threat, as well as other analysis
to help IT teams defend themselves from that threat.

For example, this includes:

• A summary of the threat (e.g. impact, severity, etc.)

• Specific software targeted (e.g. OS, apps, etc.)
• Actions or access needed to exploit the threat (e.g. command line access)
• Types of network protocols exploited (e.g. ICMP, SMB, etc.)
• Indicators of Compromise (IOC) which may include: IP addresses, URLs, domain names,
file hashes (and other artifacts)
• Remediation recommendations (if available, along with links to patches and other fixes)
If your SIEM vendor lacks a dedicated security research team and doesn’t offer natively
integrated threat intelligence, ask them: How are new threats detected? Whose responsibility
is it to keep the SIEM updated? How is integration with a threat intelligence provider
accomplished? Will that add costs to my SIEM deployment?
6. Automate and Orchestrate
Security Operations.
You’ve detected an active threat. What happens next?
Automation is essential for SIEM success in real-world operational environments. If you can’t quickly
act on the alerts and insights you’re getting from your SIEM, then having that information adds little
value (despite your best efforts).

Admittedly, the entire security monitoring process can’t be automated. That said, there are still
opportunities for automation and security orchestration to accelerate response and streamline the
incident response process. Specifically, your SIEM platform may be able to orchestrate security
“playbooks” on your security devices such as Carbon Black endpoint security, Cisco Umbrella or
Palo Alto Network Next-Generation Firewall. These playbooks consist of things like having a SIEM
alert trigger an automated rulebase change for a specific IP block on a Palo Alto firewall.

Ask your SIEM vendor if they can extend their platform for consolidated threat detection and security
orchestration and automation. Find out which third-party apps and IaaS environments they support.
Additionally, find out if their alerts provide expert guidance on how to interpret the threat and how to
respond to it.

Remember, speed is an essential ingredient in terms of containing the damage of a cyberattack

and restoring your assets and operations. And because users are accessing corporate data via all
types of SaaS apps and environments, you’ll need to make sure you can scale and extend your SIEM
platform to bring in all of these rich data sources.
Summary
Expect more from your SIEM. It should go everywhere your data does.
• Key need: “I want to leverage the cloud, but I don’t want to sacrifice my security visibility.”
• Key feature: Security monitoring for public clouds, private clouds, cloud-based apps, etc.
It should tell you what to do now, and why.

• Key need: “Real-time alerts and alarms are great, but if I don’t know what to do with them, they just
become more noise.”
• Key feature: Receive alerts prioritized by threat severity, automate and orchestrate security defenses,
receive expert guidance on actions to take, as well as the latest intelligence on emerging threats and how
to mitigate them.
It shouldn’t require more work.

• Key need: “I need to pass an audit now, I can’t afford a months-long deployment or complicated manual
integration projects.”
• Key feature: Essential security capabilities that are already built-in, along with out-of-the-box compliance
reports and extensible integrations with dozens of security vendors to deliver security automation and
orchestration.
Process Makes Perfect.
In the next section, we’ll outline the key steps of your SIEM evaluation process. After all, when you’re making
an investment decision that can affect your overall security and compliance posture, it’s important to have a
well-documented and disciplined process and keep all stakeholders informed on your progress.
Summary
SIEM Evaluation Process Stages
Phase 1 - Initial Review
Key Activities - Determine the set of vendors you’ll review and evaluate, based on the criteria we’ve
included in this guide along with your business goals.

Pro-Tip - Try to choose at least two to three vendors that you will spend time “kicking the tires” during a
Proof of Concept (POC). Not all vendors will qualify for an investment of your team’s time and attention
during an in-depth technical evaluation.

Phase 2 – Try it in your own environment

Key Activities - Develop key evaluation criteria, run through test cases to ensure that the SIEM works as
expected and addresses key technical requirements and satisfies business goals.

Pro-Tip – Look for vendors that offer a free trial so you can actually go through the deployment process
before purchase. Design test cases that are as close to your real-world priority needs as possible. Find out
how easy it is to go from installation to insight with the SIEM.

Phase 3 - Final Vendor Selection

Key Activities - Gather and analyze all results from evaluation assessments and team feedback to
determine the right SIEM vendor for you. Also evaluate subjective criteria such as rapport with the vendor
team as well as support hours and policy.

Pro-Tip - Include all key stakeholders in this process and document key reasons for selecting the chosen
vendor (because that may come in handy at renewal time).
SIEM Checklist:
Questions for SIEM vendors
What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g.
asset inventories, IDS, vulnerability scans, etc.)?
• Ask during the Initial Review phase. Any SIEM vendor who assumes you have these tools already
in place likely doesn’t have the breadth of functionality you’ll need for fast answers. Eliminate from
consideration, it’s not worth your time.
• Why is this important? It takes a lot of time, staff, and resources to purchase, install, and configure the
essential security controls to feed your SIEM. You can accelerate this with a SIEM platform that includes
these capabilities.
What is the anticipated mix of licensing costs to consulting and implementation fees?
• Ask during the Initial Review phase: Find out what the ratio is. If implementation costs 30-50% of the
overall cost of the investment, walk away. Fast.
• Why is this important? This question gets to the heart of how challenging the deployment process will be.
It will also expose if their claims of “out-of-the-box” functionality are truly solid.
How many staff members or outside consultants will I need for responding to SIEM alerts and managing
the system overall?
• Ask during the Initial Review phase: The answer to this could inform whether or not you’ll need to
outsource SIEM management to an MSSP, or explore some degree of MSSP support.
• Why is this important? If your team can’t realistically respond to alerts in a timely fashion, it may be time to
consider an MSSP to manage your SIEM platform.
SIEM Checklist:
Questions for SIEM vendors
How long will it take to go from software install to security insight?
• During the trial/POC phase: Ask them, and then make them prove it. Document how long it takes to install
the software, detect data sources (is it automated?), pull and analyze log data from at least three data
sources, and start issuing alerts and running reports.
• Why is this important? Speed of detection is the number one success factor for preventing a data breach.
How many staff members or outside consultants will I need for the integration work?
• During the trial / POC phase: Include at least one to two external data sources to pull data from.
Document how many people it takes for the work, and how long it takes (and multiply that by all the other
sources you’ll need.)
• Why is this important? Fast integration with your entire ecosystem is a critical factor for ensuring a
complete security picture.
Do alerts and alarms provide step-by-step instructions for how to mitigate and respond to
investigations?
• During the trial/POC phase: Recreate an event that you would expect would trigger an alert, and evaluate
how much info is provided to fix the issue.
• Why is this important? Cryptic alerts that leave no indication of what to do slow down incident response
and increase risk.
Bottom Line: After thorough evaluation, your final SIEM selection decision will likely be based on a
combination of objective and subjective criteria such as perceived value, trust and credibility in the vendor,
as well as how easy it is to get started and manage over time. Good luck and good threat hunting!
Go Beyond SIEM with AlienVault Unified Security Management (USM)
Features: AlienVault USM Traditional SIEM
Management

Log Management ✓ ✓
Event Management ✓ ✓
Event Correlation ✓ ✓
Reporting ✓ ✓
Security Monitoring Technologies:
$$
Asset Discovery Built-In
(3rd-party product that requires integration)
$$
Network IDS Built-In
(3rd-party product that requires integration)
$$
Host IDS Built-In
(3rd-party product that requires integration)
$$
File Integrity Monitoring Built-In
(3rd-party product that requires integration)

Cloud Monitoring $$
Built-In
(AWS, Azure, Office 365, G Suite) (3rd-party product that requires integration)

Incident Response (AlienApps) with $$

Built-In
3rd-party security & operations tools (3rd-party product that requires integration)

$$
Vulnerability Assessment Built-In
(3rd-party product that requires integration)

Additional Capabilities:

Continuous Threat Intelligence Built-In Not Available

Unified Management Console for

Built-In Not Available
security monitoring technologies
AlienVault USM Anywhere
Your Foundation for SIEM Success

• Watch our 90-second overview video

• Play in our product sandbox
• Start detecting threats today with a
free 30-day trial
• Compare USM to traditional SIEM
• Join the Open Threat Exchange

www.alienvault.com