SIEM Optimizations

Top 3 SIEM Optimizations – How to Get More From Your Existing Tech Stack

June 1, 2023
Written by
Bradley Chambers's Image

Bradley is an experienced IT professional with 15+ in the industry. At Cribl, he focuses ... Read Moreon building content that shows IT and security professionals how Cribl unlocks the value of all their observability data. Read Less

Categories: Learn

In today’s digital-first world, most security problems are actually data problems, and data volumes are outpacing organizations’ abilities to handle, process, and get value from it. You’ll have 250% more data in five years than you have today, but the chances of your budget increasing to match that are slim.

The challenges that come with managing the rise in enterprise data volume directly affect your ability to adequately address cybersecurity risks. Optimizing your SIEM and existing tech stack will better position your organization to handle the increasingly complex threats headed your way. These are the top three things you can do to get there.

Improve Data Quality With Normalization

Each source of security data tends to come in its own format — if you have a dozen sources feeding data into your SIEM, it wouldn’t be crazy for one user to have completely different field names across each source.

If this happens for each user — across multiple fields and events — the extra noise created quickly adds up. The vast sea of extra data makes creating security rules, correlation rules, alerts, and dashboards in your SIEM problematic, so you end up with gaps in visibility that make threats impossible to detect.

Events that don’t meet formatting requirements may be dropped by a SIEM altogether. The variations in data can also appear anomalous, causing the SIEM to send unnecessary alerts, also known as false positives. It’s easy to go from missing threats you can’t see to losing them in a list of alerts that will never see the light of day. Reducing false positives free up analysts to triage actual security issues.

Add Context to the Data in Your SIEM

Although they come in multiple formats, usernames have all the context you need — but things like IP addresses are a different story. You can see a couple of IP addresses in this simple log entry from Cisco SA, but all we really know is that one is a private address, and the other one is public.

GeoIP information for these IPs is critical for investigations, but jumping between different tools to figure out a location for each log takes up valuable time. It can also be troublesome because you could potentially attach current GeoIP information to an IP address from a couple of years ago. In the example above, the external IP address is from North Korea, but it might not be a North Korean IP address a year from now.

Strike the Right Balance Between Data Quantity and Quality

Data volume is an issue with most environments — chances are that you’re a part of the significant percentage of organizations that don’t even ingest all the data they need in their SIEM. If you don’t collect everything you need to because of infrastructure, network traffic, or license costs — or the desire to control the load on all the agents you need to get all the necessary information — you’ll likely have some significant security vulnerabilities.

In many cases, voluminous data sources like network flow logs are the most valuable from a security perspective. You should also collect DNS traffic and endpoint logs, but in a way that allows you to afford to run all the services you need. The more unnecessary data you collect, the more you distance yourself from more real-time alerts.

In our recent webinar, we discuss how Cribl Stream enables your existing set of tools to handle increases in data volume and improve your organization’s security posture. Data normalization, enrichment, and reduction are just the tip of the iceberg. Stream allows you to use data lakes to take advantage of deep analytics, reporting, and searching without causing resource contention with your SIEM. You can hold onto a much smaller, more intentional portion of data, dump the full-fidelity copies of data into object storage, and use the replay feature to put a session back through your SIEM if needed.

You probably have all of the right tools in place already — making sure that you’re feeding them the proper data will help ensure your organization is as secure as possible. Check out the presentation for more information, including a live demo of Cribl Stream and answers to some great questions, like why it’s better to do enrichment in the pipeline as opposed to your SIEM, and much more.

Datadog Cribl Stream

Using Cribl Stream to Correct Misconfigured Data in Datadog

Read More
Feature Image

Pick 3 for Your Data Management: Speed, Choice, and Flexibility

Read More
Data Sorting

Navigating Data Overload with Cribl

Read More

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.