DEV Community

Cover image for Leveraging Automation and Expertise in SIEM Systems
Dominique Rene
Dominique Rene

Posted on

Leveraging Automation and Expertise in SIEM Systems

The shortage of information security specialists cannot be resolved quickly through mass job advertisements or higher wages. Infosec systems require extensive knowledge and highly qualified experts, often needing long-term training.

For example, when implementing and using SIEM systems, experts need to connect and cover the necessary sources of information security events with normalization and enrichment rules, create and configure threat detection rules, constantly monitor the quality of data supplied for analysis, respond to identified incidents and investigate them.

These tasks require extensive training in cybersecurity as well as a deep understanding of information systems and their data flows. Additionally, specialists often struggle to determine the necessary steps for responding to and investigating incidents. Addressing all these challenges can be difficult not only for beginners but also for experienced experts.

Focus on automation

In a personnel shortage, managing a SIEM system should be straightforward for operators, analysts, and users with minimal experience with the product.

To minimize the time between the start of illegitimate activity in the infrastructure and its detection by the SIEM, as well as the time from incident detection to confirmation and response, the system should handle most expert functions. This includes helping define monitoring objects, preparing normalization rules, tuning correlation rules, minimizing false positives, checking verdicts, and automating the entire event processing pipeline.

Top requirements when choosing a modern SIEM

  • A SIEM system should continuously analyze the protected perimeter, identify IT systems and their information flows, and provide recommendations for their control and protection. It should specify which data sources need to be monitored. An effective SIEM can automatically connect new event sources as they appear on the company’s network and prioritize their control based on their type.
  • A quick start and detection of information security incidents should be possible in any infrastructure, whether it involves familiar information systems or systems unknown to the vendor. The initial connection of new sources should not require the operator to know specialized languages for writing normalization rules.
  • One common problem in almost any organization is shadow IT - devices, computers, servers, services, or software used by employees that do not comply with security policies. A modern SIEM should continuously monitor these shadow segments by automating the collection of data from the network.
  • The threat landscape for various organizations and sectors is constantly evolving, with attackers continually developing new techniques and tactics. Therefore, the system should rely on the broadest possible expert base, including the vendor, the community, and the company's own information security specialists. It should also have a wide range of tools for consolidating this knowledge.
  • Additional validation of registered incidents should be conducted using third-party systems, such as external TI systems or third-party correlation engines. Providing a second opinion should become a mandatory practice.
  • The SIEM should offer recommendations for responding to identified incidents, as well as for investigating and processing them. These recommendations can be based on internal expertise or response rules generated by the community and integrated into the system.
  • A smart SIEM continuously adapts to changes in the information security landscape and enhances the accuracy of incident detection. For example, integrating telemetry data from workstations with XDR systems can improve the detection of dangerous security events. Therefore, having simple integration interfaces with third-party systems is essential for future SIEM systems.

In conclusion, automating SIEM systems is essential to address the shortage of information security specialists. By simplifying operations and enhancing efficiency, SIEM automation ensures effective threat detection and incident response, even with limited personnel expertise.

Top comments (0)