SIEM Value: Five Operational Considerations

One of the most essential tools for large financial businesses to protect themselves from the growing threat of cyberattacks is a SIEM tool, such as Splunk. However, simply purchasing and implementing a SIEM is not enough. Once an organisation has implemented its SIEM, what do you ensure it keeps providing value?

In the Financial Services sector especially where compliance and security are absolute priorities; implementing a SIEM tool that’s effective and valuable to the business is vital. The biggest question for any CISO is; how do you ensure value and consistency, especially over time?

At Apto, we’ve worked with over 30 businesses across the wider financial landscape to identify and improve the value, scalability and dependability of SIEM. Here are five operational suggestions for getting more value from a SIEM tool.

1. Understand that maximising SIEM Value is a journey, not a destination.

Many organisations make the mistake of assuming that once they purchase and set up a SIEM with predefined use cases, the system will effortlessly detect threats in the background without much further input. In reality, maintaining and optimising a SIEM platform’s threat detection rules incurs significant investment in both time and energy. Neglecting this crucial aspect often results in the system gradually losing relevance over time and failing to deliver its full potential, especially 6/12 months from the initial setup. 

While the default rules provided by most SIEM platforms can offer a solid foundation, the reality is that you’ll need a dedicated expert to continually fine-tune and create customised threat detection content tailored to your business and keep that detection ruleset updated. Effective, valuable SIEM implementation is an ongoing journey that requires flexibility, adaptability and expert knowledge to be effective and provide a positive return on investment. 

2. Understand your ingest approach

Determining what data to feed into in a SIEM solution can spark debates and disagreements. There are two distinct approaches to consider. The first approach is to “log everything,” stemming from the belief that you should capture all data because you never know what you might need later. However, this approach can quickly become cost-prohibitive. The second approach is to log only the essential data. Unlike the first approach, this method involves thoughtful consideration of the organisation’s security and compliance objectives, risk tolerance, and desired alignment with industry frameworks. While this approach demands more upfront effort before engaging with the technology, it ultimately leads to a more effective and valuable SIEM solution once the chosen platform is implemented. Of course, both approaches have their merits, but it’s crucial to have an expert understanding of which path you’re pursuing and how it will shape your security maturity and posture going forward.

3. Decode the truth behind false positives

False positive notifications are a common occurrence when a SIEM tool mistakenly flags non-existent security threats, overwhelming the security operations centre (SOC) with unnecessary alerts and eroding trust in the tool itself. This issue can be particularly critical for financial sector SOCs, as it can open the door to severe security breaches.

To mitigate false positive notifications, we are often approached by customers seeking assistance in fine-tuning their SIEM. While this is a valid approach, it’s crucial to exercise caution. False positives should be evaluated against an overarching strategy and the business’s existing frameworks and controls. It’s not uncommon for perceived false positives to highlight genuine security or control risks. As a CISO, it is vital to develop a comprehensive strategy that encompasses all aspects of your security response and identifies the specific notifications you wish to receive, along with a clear understanding of why you need them before implementing a SIEM. 

4. Define good processes between the SOC and SIEM teams:

Establishing a robust and efficient process to facilitate knowledge transfer from the SOC to the SIEM is paramount. Far too often, information flow remains linear, with incidents being detected and addressed, while little thought is given to updating the content within the SIEM. Moreover, if the SOC team identifies gaps in the coverage provided by SIEM tools, it is crucial to relay this feedback to the SIEM engineering team for necessary updates and enhancements. Building upon this, it’s important to recognize that managing the SIEM requires a distinct skill set, and it should not be assumed that the SOC team can seamlessly take on this responsibility.

5. Harness data pipelining for cost-effective data management:

The security technology landscape is ever-expanding, with rapid advancements in XDR solutions, data storage, and analysis tools all having different requirements and solutions to the same compliance challenges. A SIEM tool is just one option of many, so understanding where flexibility is needed and why a specific tool is required is important. At Apto, one of the most prevalent concerns we encounter is the challenge of scaling and escalating expenses associated with the long-term use and support of a SIEM, especially when run in conjunction with other tools.

To address this, CISOs must have a clear understanding of the value of their organisation’s data and define the purpose of their SIEM concerning data utilisation. Enter data pipelining —a powerful technique that empowers customers to optimise their data usage. It allows for selective data ingestion into the SIEM, ensuring only relevant information is processed while offering alternative options for data retention, analytics, and machine learning. Data pipelining provides a significant advantage, allowing organisations to effectively manage SIEM costs by optimising data ingestion and computational resources. 

Bringing It All Together And Getting Maximum SIEM Value

To summarise, as all good CISO’s/InfoSec Teams know, a SIEM is an essential tool for any large financial business. However, to maximise its value, it is crucial to continuously manage it, understand how it aligns with your organisation’s security journey, understand what it is telling you in the context of your business objectives and know how to keep it up to date, especially in such an ever-changing landscape. 

A competent independent security consultant such as Apto Solutions can help with this by providing expert advice and guidance on selecting, implementing, and maintaining the right SIEM tool. With our dedicated strategic and technical guidance, businesses can ensure that their SIEM tool is effective and that they are protected from the growing threat of cyberattacks while ensuring good value over time and consistent, predictable performance.