The US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) published new guidelines this week for the procurement, implementation, and management of SIEM and SOAR platforms.
These technologies help organizations collect and analyze data from firewalls, endpoints, applications, and other sources to better detect and respond to cyberattacks. In practice, however, many organizations encounter major challenges during implementation and rollout. These include high costs and ongoing maintenance. According to the guidelines, these are not systems that you install once and can then forget about.
The use of these platforms is becoming increasingly important as organizations store and manage more and more valuable data. This includes personally identifiable information and health data. In addition, increasing infrastructure complexity creates blind spots. This makes it more difficult to detect threats. There are simply more endpoints, more applications, more external suppliers, and more home workers who could potentially be exploited.
Recommended practices
The guideline emphasizes that implementation is an intensive and ongoing process that requires a great deal of expertise. An important technical consideration is that the systems should only issue alerts in the event of actual security incidents. This is because rapid response is crucial. In addition, a SIEM system must function correctly before an organization can consider deploying a SOAR platform. This means that the SIEM must generate accurate alerts.
When estimating implementation costs, organizations must take hidden costs into account. These are often related to the amount of data entered into the system, as many suppliers base their prices on this. Training and ongoing support also entail costs.
Testing the performance of the systems is essential. In addition, organizations may have more control over the entire process when implementation takes place internally. In that case, the platforms have a better understanding of the network and business operations. If this is outsourced, gaps in visibility, overlapping work, and communication problems may arise.
The importance of baselines
The guidelines also contain specific recommendations for security professionals. An important step is to establish a reference level for normal network traffic. This teaches the systems what is normal within the organization and enables them to better detect deviations. This includes analyzing installed tools, user behavior, network traffic, and communication between systems.
This also applies to logging activities and setting standards for applications. It is important that organizations carefully determine which components need to be addressed first, focusing on areas with the highest risk.