A practical and effective implementation of technology (SIEM, UEBA etc.) is the key. Many organizations have a SIEM system in place for long; however, it’s not being used for effective monitoring. It is crucial to keep some basic things in mind while implementing technology:
1) Driver for SIEM Deployment: Organizations should have a clear understanding of the output expectation after deployment. Either it is being deployed just to achieve compliance or either the expectation is to get clear visibility into the network and leaving no blind spots.
2) Deployment Planning: Planning is significant for effective implementation which includes SIEM Sizing, Use cases identification, Identification of Critical assets, services, Device logging level etc.
3) Information Gathering: It is better to gather the information about network, devices, services etc. before initiating an actual deployment on the ground. By conducting a session or interviewing teams (Network, Security, Application, Windows etc.) in an organization, it is easy to get a holistic idea on the current security posture of an organization. It also helps in understanding their pain points which can be resolved by mapping with the right use cases/policies/rules
4) Handover to SOC team: During a handover from implementation team to operation team for continuous monitoring, it is essential to set up a process which will ensure that operation team gets a complete handover and they get a piece of detailed information on the deployment being done. IT is vital for SOC team to understand the customer environment technically and culturally for effective monitoring
5) Incident Management: SOC team should be able to handle any security incident and should report back to the relevant team for action. Incident management process must be followed by SOC team to ensure that incident has been verified (for false positive or else false negativity), logged, assigned to the analyst (L1, L2, L3) depending upon the severity of an incident, tracked and closed.
6) Knowledgebase and Problem management: It’s good to have KB and Problem management to avoid recurring incidents.
7) Logging Level: While integrating devices, proper logging level needs to be selected on third-party logs to make sure SIEM is receiving only the relevant and required logs. It helps in reducing the noise and minimizing the unnecessary incident. Too many false positives consume analyst time which increases the overall cost of SOC.
8) Identification of Use cases, Devices, Services: Respective teams can help the implementation team in identifying the right devices, services that need to be integrated with SIEM solution. They are the best in selecting the right use cases which must be mapped with the problems they might be facing.
9) SLA: MSSP providers sign customer SLA to make sure to deliver the services effectively and on time. SLA should be defined based on the criticality of the asset and incident. Defining a proper SLA make sure that incidents are being responded on time and also to measure the performance of the MSSP.