SIEMs are a popular topic at the moment. For the mid-sized businesses we primarily work with, a SIEM represents a point of interest, an industry talking point or an eventual goal. Whilst SIEMs certainly can offer significant security benefits for an organisation, it is with good reason as to why we haven’t seen wide-spread adoption. Yet.
Getting the foundation right – a little goes a long way
For the majority of businesses we work with, Cloud services are not properly utilised or at least, not the way the vendors envisioned them. A simple example is Dynamic Groups. Dynamic Groups are criminally under-utilised, seen often as problematic or unreliable. In actuality, the solution represents a shift away from static allocation of resources and towards self-service. However, for an organisation to be utilising the solution correctly, it first needs to understand what its people need and how they use the required technology. And this is hard work.
Similarly, in the instances we do find ourselves delivering a SIEM, we will work with our customers to first understand what their ideal Cloud security landscape looks like. Remove the idea of a perimeter, insert the idea of an identity or more specifically, a user persona. A user persona has a specific need; they work a specific way, at a specified location requiring access to certain tools. When the person accesses these resources in the prescribed manner, it is effortless and secure. This, in our experience, is where most businesses find the best bang for their buck within mid-market.
When does a SIEM make sense?
Most businesses find SIEMs to be expensive, time consuming and less valuable than deployments of cloud identity, edge security and device management.
Therefore, we primarily see SIEMS in two key scenarios:
- Making sense of millions of signals
- Maintaining compliance
Setting up a SIEM for success
SIEMs rely upon a stream of reliable information pouring out of your environment to provide meaningful analytics. This means your environment must be setup in a certain way before you can maximise the benefits. This includes:
- Configuring Single Sign-On and Conditional Access
- Setting up MDM
- Deploying edge security
- Deploying a CASB
- Deploying various defenders (identity, device, servers)
Businesses should first direct efforts towards the adoption of all relevant services within Cloud and the methodologies and processes that underpin them. Relevant services are those that you are entitled to or can be acquired with minimal cost and effort. This will be your area of maximal return and the foundation on which the SIEM will be reliant upon in future.