With the ever-evolving cyber landscape, organizations must be sure to focus on enhancing their cybersecurity monitoring tools and incident response capabilities. Having said that, we often see organizations that invest time, effort, and money connecting many technologies to their security information and event management (SIEM) systems but fail to receive one consolidated and coherent view. Here are some of the SIEM mistakes that organizations make:
Too Much Noise in the Forest
Organizations frequently use out-of-the-box rules for alerts that are not relevant. For example, SIEM systems come with many predefined rules and alerts that are not necessary. It’s better to create customized alerts that are relevant to the organization’s particular systems. Also, keep in mind that the cyber forest is ever-changing, so make sure to have a designated function to add alerts and regularly review the current alerts.
Lack of Patrolling the Forest
There is often no correlation between actual IT inventory and the one defined in the SIEM ages ago. Basically, SOC analysts get their data from the field, so frequently they do not know and cannot monitor what they do not know. Having a single point of truth, such as a shared inventory, is critical.
Troubling Legitimate Forest Workers for Nothing
Alerts are often not fine-tuned enough, so they create many false positives. We do not want to exhaust resources for monitoring legitimate actions while slowing down response times for the potentially risky ones. For instance, administrators sometimes use PSExec, PowerShell, or even port scanners, but administrators are familiar with infrastructure and their tasks, so it should be quite easy to distinguish between reconnaissance and administration.
Forgetting Who Rules Outside the Forest
Organizations frequently do not expect the unexpected. They think of cyberattacks based on the controls they buy. Unfortunately, attackers do not use the same handbook defenders do, so identifying known attack signatures is fine, but it will only get you halfway there. A good hacker would attempt to look legitimate, so creating a baseline and monitoring anomalies is key.
Not Knowing the Trees that Need Extra Care
Organizations fail to map their sensitive assets and data well. Priority is key: If you don’t know where your crown jewels are, you cannot respond based on severity and risk.
Not Understanding the True Concerns of the Forest
Many organizations do not monitor based on actual intelligence gathering. One size doesn’t fit all in this case. Different threat actors exploit different vectors and have different methods, so understanding current threats to your business would be beneficial to your cyber risk monitoring strategy. Remember, you’re not the only forest around: Communicate with your peers, learn from their experience, and implement their battle-tested alerts.
Inability to Detect Footprints in the Forest
Organizations write rules for alerts they cannot simulate, so how would they know what they are really looking for? Don’t just rely on EDRs; create and test custom alerts on your security controls based on what concerns you, so you can feed your SIEM—not just raw data. Correlations are time-consuming and not always necessary.
With all that in mind, zooming out and examining the organizational cybersecurity monitoring strategy as a whole is often beneficial to all involved parties. We recommend that you do the following:
• Fine-tune alerts
• Refresh inventory
• Baseline normal activity
• Map and classify assets
• Gather intelligence
• Customize alerts
• Create alert simulations
Want to learn more about focusing on the cyber threats that present a true risk to your business? Contact us.
