IK
The security landscape is riddled with sophisticated threats that are difficult to prioritize and manage – especially for global corporations that have remote offices and complex networks to secure all over the world. While many of these large enterprises have deployed costly solutions for so-called ‘defense-in-depth’, they still struggle to know which risks to address first. Today’s global enterprises are faced with two fundamental challenges: understanding and measuring their security posture in this environment, and effectively detecting and responding to evolving security threats.
A SIEM solution can be the key
As a first step for managing risk, organizations should consider a Security Information and Event Management (SIEM) solution as an effective tool for aligning IT operations and resources across a global operation. The value of SIEM technology’s real-time analysis of security alerts, security data logs and compliance reports is critical for understanding and assessing security posture, but the scale and complexity of a global SIEM deployment can be daunting. Therefore, enterprises need to remember a few core principles in order to build and operate SIEM solutions effectively:
- Adapt the SIEM to the organizational structure of the business.
- Create advocates and gain sponsorship within the internal team.
- Get a complete picture of your networked assets.
Step 1: Build a SIEM to fit your business.
It’s important to align a monitoring program to the reality of the organization’s structure as well as its strategic direction. IT operations and information security may be distributed across different locations, business lines, or other divisions – especially when corporate strategy favors acquisitions – and that can have a significant impact on the ability to centralize operations under a single consolidated umbrella. To be successful, the security team needs to consider how to adapt its own organization to the interactions that will be needed among distributed IT teams, and according to each country’s privacy regulations. This is critical during both the initial process of setting up data collection, and throughout the ongoing incident management lifecycle – from identification to investigation, containment and eradication of incidents. A well-structured security team should also deliver measurable efficiencies, centralizing security monitoring and incident response expertise while enabling local production teams to focus on the applications and business areas they support.
Step 2: Communicate with stakeholders.
Again, depending on the business and security team’s organizational structure, a global SIEM may be required to serve multiple parties across the enterprise, which may often mean navigating conflicting missions and mandates. Effective stakeholder communications are crucial to overcoming this challenge, but are too often neglected or treated as an afterthought.
A key step in this case is to obtain the necessary sponsorship among the organization’s business units, IT production teams, and executive suite. Regular stakeholder communications must be an integral part of the strategy. The organization should appoint a primary sponsor for the program – usually someone from the office of the CIO – to push messages out to different parts of the organization and bring other sponsors on board. The primary sponsor must clearly communicate the goals, mission and the roadmap of the SIEM deployment and proactively share news and updates with stakeholders to ensure that all parties are unified and invested in a successful engagement.
Step 3: Understand your technical environment.
Organizations preparing to deploy SIEM globally may struggle to achieve a complete picture of their security environment, including network maps, ingress and egress, and mapping of services and data to IT entities. In many cases the organization has multiple networks that are not fully integrated, not compatible, or not even interconnected – yet having a complete picture of corporate IT assets across a global network is a critical success factor. To achieve that result in an effective and cost efficient way, two main considerations must be addressed.
First, the monitoring program must be driven by use cases and designed with the desired outcome in mind. Begin with what the security analysts need to ultimately do, what data they will need in order to make informed decisions and what risks they need to be aware of, and work backward from there. This will prevent frivolous use of resources on technical issues that ultimately do not contribute to the ultimate business mandate. It will prevent the collection of terabytes of unnecessary data that tends to bury analysts rather than delivering meaningful intelligence.
Second, the SIEM architecture and design need to be smart. An effective program is not a generic, “one size fits all” system, but a collection of sophisticated tools that solve the organization’s unique problems based on its environment and objectives. The SIEM must take into account people, processes and technology concerns in order to achieve complete and accurate monitoring coverage while maintaining control over scale and cost. For example, a contextually appropriate use of emerging SIEM virtualization support can help improve deployment speed and reduce the cost of data collection in a heterogeneous distributed network environment. In addition, smart integration of even partial asset or network criticality data – wherever that data may be available in the enterprise – can help prioritize and contextualize potential security incidents that are escalated to an analyst for review.
Position your business for profitability and success
The efficiency and increased security provided by a well-executed global monitoring program offers tremendous value to organizations that follow these guiding principles. A successful global SIEM deployment depends on the ability to look beyond independent lines of business and recognize the benefits of an organized, unified security environment to the enterprise as a whole. Leaders across the organization must commit to a collaborative vision and work together, both internally and externally, to build support for the monitoring program’s mandate and mission. They must also assess the technical environment in order to build systems that can help analysts collect, manage and prioritize data for effective incident response.
Consolidating or better rationalizing security operations with a global SIEM can improve an organization’s understanding of its security posture and help it better respond to evolving threats, without increasing headcount, for more efficient global IT operations and a more secure business.