What are the best features of a security information and event management (SIEM) system?

Not really the features of a SIEM, But the overall SOC environment needs to move with the time and leverage power of AI. We may need to develop or hone solutions which have lesser reliance on 'fixed use cases' and are able to leverage Gen-AI capabilities, using which Threat Hunting and detailed correlation can happen using simpler prompts.

Agree with folks on this. SIEMs are fast becoming the data custodians of the enterprise logs. In essence, Security Data Lakes are the need of the hour. Reduce Cost without any impact on SOC capabilities, better yet while increasing SOC's analytical & investigative capabilities and reducing alert fatigue is key. Enterprises are also tired of expensive redundant data lakes. being able to dip into existing data lakes without duplication is on top of mind for most CIOs we talk to.

Based on my experience, following steps have helped the our security teams to overcome SIEM log integration related challengers. - establish a clear log source inventory, ensuring nothing is overlooked. - Open communication with IT and security teams to resolve discrepancies in log formats and sources - Regular review and update parsers and connectors to adapt to evolving log sources - Get SIEM vendor support and online communities for troubleshooting. - Conduct thorough testing, involving all stakeholders, before making any significant changes to log sources or configurations.

Traditional SIEM is always a pain, It just acts like a Data Aggregator. The Next-Gen SIEM uses AI & ML which reduces false positives and scales up to handle any amount of Data. To explore the best features of SIEM you need to tune the following: 1. Ingest only security logs from networks, application and endpoint devices 2. Ingest alert data from sources like Anti DDOS appliances, EDR and PAM Solutions 3. Maximum Parsing of Data (to enhance search and build use cases) 4. Correlation Rules (Maximum rules) for better Incident Response/Investigation 6. Develop Use case Life cycle Management Framework(Moving alerts from sandbox to Prod in 2-4 weeks) 5. Using User and Entity behavior analytics to reduce Alert fatigue

The SIEM is only as effective as the log sources that are piped over. One of important yet often missed out log types are DNS server query records which can reveal a lot, whether there are C2 call-backs or DGA attempts, etc. For successful data analysis, there are 3 important elements that must be maintained: 1) Correct logging configuration so that needed events are logged and correctly classified based on severity. 2) Accurate alert analysis and correlation to weed out false positives and reduce under-reporting of false negatives. 3) Correct play/run-book to escalate post-analysis to L2/3 for incident management in accordance to MTTD and MTTR requirements.

Traditional SIEM had issues with too many false positives. Alert fatigue was one of the biggest concern for SOC. But again with modern approach, true positives are also becoming a challenge. 2000 true positive alerts a day is not making anyone's life easier. So, true actionable alerts with intelligence is what is needed. Repeated tasks and steps must be carried out by workflows automatically.

Usually what I have seen with organizations is lacking valuable insights that come from data visualization. There are so many charts and data points that add noise to what are you exactly trying to illustrate. I would use data visualization tools for - Pattern analysis and linking it to any threat indicator - Focus on systems that handle sensitive information and create a visualization pattern that identifies vulnerabilities - Ensure that primary focus is always on creating a view that assimilates different data points/integration based on the criticality and sensitivity of the asset

Data visualization is a pivotal feature in Security Information and Event Management (SIEM) systems, transforming complex security data into easily interpretable visual representations. It provides intuitive dashboards and graphical reports, enabling quick comprehension of security incidents. Visualization enhances situational awareness, facilitating prompt decision-making for cybersecurity professionals. By presenting data trends and anomalies graphically, SIEM ensures a more efficient analysis of threats. This feature not only simplifies the monitoring process but also aids in identifying patterns and correlations, contributing to a proactive cybersecurity strategy.

Many security tools have prebuilt dashboards for visualising their log sources in SIEMs. These can save a lot of setup time and can usually be customised.

Of course data retention is a very critical capability of SIEM solution where the ONLINE log data (typically 90 days) needs to be retained in ultra high performing disc like SSD for quicker retrieval and reporting. The OFFLINE data retention (typically 9 months) must be stored and retained in a low cost storage disc like SATA or NL-SAS. This offline data must be searchable at the same time the analyst must have patience to get the retrieval of data. The final part is ARCHIVE data (from 1 year to 5 or 7 years, depends on the organisations compliance requirement) can be stored either in cheaper disc or archived out in Tape. Typically threat hunters who need historic reporting will hop from online to offline to archive data.

We're living the dream about data retention possibility. In the past, GB (or TB) had an extreme high cost and also some limitation in data transfer capability. In a cloud-based world this is not a problem anymore. Having in mind that it could take 3 to 4 months to detect an attacker in an infrastructure it's mandatory to think about AT LEAST a 6 month retention policy with all the security and availability considerations in place.

Data retention in a SIEM is a digital archive, preserving historical context for security analysts. It acts as a digital detective tool, facilitating forensic analysis during security incidents. Compliance requirements are met through robust retention, serving as a built-in compliance officer. Long-term trend analysis becomes possible, offering insights for informed security decisions. The SIEM's learning capacity improves anomaly detection over time, akin to an experienced security guard distinguishing regular activities from threats. Post-incident reviews benefit from retained data, contributing to continuous improvement in security strategies.

Data response enables swift and effective actions in response to security incidents. This functionality allows automated or manual responses to identified threats, mitigating risks promptly. Through predefined response workflows, SIEM systems can execute actions like isolating compromised systems or blocking malicious activities. Automated responses enhance the speed of threat containment, reducing the impact of security breaches. By integrating response capabilities, SIEM ensures a proactive security posture, providing organizations with the tools to defend against evolving cyber threats and minimizing the potential damage caused by security incidents.

One corrections on above - alerting is referred as detection. Response will be referred to actions taken such as on endpoint to block an IP or machine in network. You need SOAR capabilities to perform response such as XSOAR , Resilient, Logic Aps, etc. as you need to design workflows for response. Now SIEMs are integrating these capabilities such as XSIAM, Sentiel (comes with logic aps). Response is critical hence should be designed carefully and should be agreed between customers and service providers as result can impact business financially depending what’s getting blocked by an action.

Respond to analyzed data and automate security operations is pivotal in modern cybersecurity. It ensures that organizations can swiftly and efficiently address security incidents, reduce risks, and maintain a strong security posture in the face of evolving threats.

SIEMs have evolved significantly in the past 20 years. While there are still platforms on the market today that use basic correlation/alerting components, the best platforms to use incorporate risk models. If you can find a platform where your team can modify the risk model, that is even better. User behavior analytics is now becoming a common feature which makes initial triage a bit easier for IR teams. If I had one complaint across all SIEM platforms it would be on the query language. Every time you touch a new platform you have to learn a new query language. We have the common information model and SIGMA...why can't we have a common query language across all SIEMs?

Always choose a SIEM solution which has seperate data costing for non-alert related logs or logs which are not frequently accessed like VPC flow logs, this hugely reduces costs when the data volume becomes ginormous while scaling Eg: https://help.sumologic.com/docs/manage/partitions-data-tiers/data-tiers/

False positive alerts can be real problem. I would prefer a SIEM tool that uses AI to continuously learn to reduce false positive. Detecting APT and profile based attack on the contrary to traditional signature based attack is also important traits for SIEM tool. Finally fine tuning SIEM tool to be optimised for your organised is cumbersome job and may take few months to maximize the benefits.