Evaluator’s guide:

6 steps to SIEM success

1
 Table of contents
03 Executive summary

04 Step 1: Know your use cases first

07 Step 2: Identify all environments you’ll need to monitor

10 Step 3: SIEM alone does not equal threat detection

14 Step 4: Correlation rules are the engine of your SIEM

17 Step 5: Consider how to integrate threat intelligence

20 Step 6: Automate and orchestrate security operations

21 Summary

22 SIEM evaluation process stages

23 SIEM checklist: Questions for SIEM vendors

26 Go beyond SIEM capabilities

27 About AT&T Cybersecurity

This document is intended to include general information for individuals learning about security information and event management (SIEM). Use of names
of third party companies in the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity.
2
 Executive summary
We’ve put together this evaluation guide to help you
find the best security information and event
management (SIEM) solution for your organization.
Whether your goals are to —

• detect threats

• achieve compliance

• fuel incident response

• or all of the above

— these 6 steps to SIEM success will help guide your

team through key considerations to prepare your SIEM
deployment and choose a solution that works for your
environment.

3
 Step 1:
Know your use cases first
Why are you considering SIEM in the first place?

Modern SIEMs support many different business and technical use cases, including security, compliance, big data
analytics, IT operations, and others. However, this does not mean that any SIEM solution will satisfy your unique
business and technical needs. Not all SIEMs are built equally or optimally to support all use cases, so it’s important to
begin your SIEM evaluation by defining your specific use cases or goals.

Knowing your reasons for pursuing a SIEM deployment will help you:

• Define the scope of your deployment • Identify the high priority events and
(which environments to monitor) alarms that you want to focus on

• Determine your priority data sources • Pinpoint your key success metrics
(which assets to collect logs from) and milestones

4
 Step 1
For example, if your goal for deploying a SIEM solution
is to pass your next PCI DSS audit, then your scope
would be the environments in which credit cardholder
data is collected, processed, transmitted, or stored.
Your high priority data sources would include the
firewalls and other security controls that protect that
environment, as well as the server and application
logs that are involved with collecting and processing
credit cardholder data. Other data sources might be
interesting (e.g. from systems outside the scopr of the
PCI DSS audit) from an overall security standpoint, but
they aren’t essential and won’t help you achieve your
primary goal of PCI DSS compliance.

In this PCI DSS compliance example, you would likely

want to focus on the security events and alarms
that are in scopr of your PCI DSS environment. A key
success metric would include having the ability to
monitor these events over time and report on them as
needed in order to demonstrate to PCI assessors that
you’re continuously and fully monitoring your critical
enivronments.

5
 Step 1
Business use cases vs. technical use cases

Keep in mind there are key differences between If we take the business use case
privileged user monitoring example
business use cases and technical use cases. A
even further, it requires knowing:
business use case is often high level, strategic, and
provides rationale that can help you gain executive • Who your privileged users are
approval and funding for your SIEM development. A (usernames)
technical use case is often highly detailed and helps
you operationalize the SIEM in order to achieve your • What constitutes privileged activity
business goals. (commands)

»» Logins = rlogins / ssh

For example:
»» User permission changes
Business use case (few) - Monitor all privileged (e.g. sudo or LDAP, etc.)
user activity to satisfy PCI compliance requirements.
• Where you care to focus
Technology use case (many) - Monitor and (devices)
set up an alert for all sudo events on Linux servers,
especially failed root logins, and prioritize those that »» Critical servers, applications,
occur during specific time windows. network devices, security devices, etc.

»» Endpoints? If so, whose?

6
 Step 2:
Identify all environments
you’ll need to monitor
What assets should you monitor?
Where do they reside?

After you’ve identified your key use cases for a SIEM, you’ll need to identify and monitor all the assets relevant for
achieving your business goals. This includes all network devices that process security-relevant information such as
routers, firewalls, web filters, domain controllers, application servers, databases, and other critical servers.

Your SIEM use cases may relate to passing your next compliance audit or protecting the company’s intellectual
property. So, you should consider all of the critical apps and data your business relies on to support customers and
keep business operations running. Which apps house data that might be the target of cyber criminals? Which apps
contain data that may impact your compliance status (e.g. credit cardholder data has implications for PCI DSS)?

7
 Step 2

When evaluating a SIEM, be sure

you consider how you will monitor
critical assets across all of your IT
environments:

• Physical IT infrastructure / networks

• Private clouds / virtualized IT (VMware®)

• Remote sites and retail outlets

• Public cloud accounts (AWS®, Azure)

• SaaS environments / cloud apps (Office 365,

G Suite™, and more)

Note: Apps like Office 365 and G Suite contain important

information about user activity and can often be “ground
zero” for phishing attacks and other threats. Find out from
your SIEM vendor if they can automate the collection and
analysis of log events from these enterprise SaaS apps.
Otherwise, you could miss the full picture on emerging risks.

8
 Step 2

Unify security monitoring across on- Find out from your SIEM vendor if they can collect,
premises and cloud environments consolidate, and analyze event log data for all of these
environments (IaaS, PaaS, and SaaS). Ask them how
In the past, enterprises had most of their data housed they do it, and test them on this by including data from
on systems in their own data center, with SIEM sensors all of your environments. If you’re ready to tackle the
installed on each network to collect and consolidate all key questions to ask during your SIEM evaluation, go
of the event log data across the LAN or WAN. With the directly to our SIEM checklist: Questions for SIEM
evolution of cloud computing, those days are long gone. vendors.
The average global enterprise uses close to 1,000
cloud apps across all departments in their
organizations.

Chances are, the most important data for your

business is sitting on at least one or more cloud
environments. And so, as part of your overall effort
to monitor all threats against that data, and to
achieve and demonstrate compliant processes, you’ll
need to extend security monitoring to all of those
environments: from on-premises networks and data
centers to the cloud, whether IaaS / PaaS environments
like AWS® and Microsoft Azure®, or SaaS environments,
like G Suite and Office 365.

9
 Step 3:
SIEM alone does not
equal threat detection
Complete security visibility requires a broad perspective-from a wide range of tools.

While a SIEM is great at collecting and correlating raw data, at the end of the day, you still need to tell the SIEM what
assets to monitor, what vulnerabilities those assets have, what type of traffic is coming in and out of your network,
and much more in order to detect and respond to a broad range of threats.

This means that your SIEM must play well with your other security controls in order to give you full visibility into
threats. What controls-at a minimum- are essential for feeding your SIEM?

10
 Step 3

Here are a few recommended security controls, and why they’re essential:

• Asset discovery and inventory – You need • Network-based intrustion detection (NIDS)
to know which assets are impacted by a – advance notice of suspicious network activity
particular threat, especially if those assets are increases your ability to thwart attackers, and
in scope of compliance may provide information about an attackers
techniques
• Vulnerability assessment – Finding and
addressing vulnerabilities before they’re • File integrity monitoring (FIM) – Malware
exploited gives you enhanced protection often targets critical system files, so monitoring
• Host-based intrusion detection (HIDS) these is essential
– Advance notice of suspicious activity on
servers increases your ability to stop threats
in their tracks

11
 Step 3

Where and how do you find these data Cost Savings

sources?
A unified SIEM helps to generate upfront and ongoing
If you haven’t yet invested in these essential cost savings. Instead of having to deploy, monitor, and
security controls, you may find great value in SIEM maintain multiple point security and compliance tools,
platforms that include built-in security assessment a unified solution can provide a single pane of glass
and monitoring controls as a standard part of their for complete security monitoring and compliance
functionality. Multi-functional SIEM platforms produce management. This approach enables resource-
a number of key benefits: constrained IT security teams to achieve a strong
security posture with fewer resources.
Time to value
Accuracy and precision
When you choose a SIEM solution that is already
Because detection is better coordinated among the
integrated with other security controls, you
built-in security controls, alarms are more accurate
significantly reduce the time and effort required to
and correlation rules more finely tuned than they
procure, deploy, integrate, and configure multiple point
would be for external or unkown data sources.
security tools. Instead, you can deploy quickly and
realize a faster time to value. Security-focused SIEM
solutions often include pre-built correlation rules to
detect malware and more, so you can start detecting
threats sooner.

12
 Step 3

If you do already have some

of these core technologies in
place, then you’ll want to clearly
understand what it will take
(how much time, money, and
effort) to integrate them with
your SIEM and maintain that
integration as things change.

Be sure to ask your SIEM vendor

how they approach integration
with other tools, and how long
this part of the deployment is
expected to take.

13
 Step 4:
Correlation rules are
the engine of your SIEM
Correlation rules find the signal in the noise.

The secret sauce in any SIEM is what is known as “event correlation,” which filters through raw event log data to find
activity that signals something bad is happening now or recently happened. Event correlation rules are based on an
understanding of how attacks unfold, so you’re notified whenever specific event data consistent with an attack show
up in your environment. Without correlation rules, your SIEM can’t deliver a single alarm.

In order to find threats and know what do about them, you’ll need to know:

• WHO the bad actors are • WHERE these threats are in your environment

• WHAT events to focus on • WHY these are the biggest threats

• HOW to respond when threats are detected

14
 Step 4

Who writes correlation rules?

Writing, testing, implementing, and updating event correlation rules is a full-time job, requiring years of expertise
and intelligence. Because security-relevant events and their characteristics are constantly changing (as is the threat
landscape), correlation rules must be constantly developed and refined to detect and respond to emerging threats
quickly and effectively. Be sure you have a clear understanding of how your SIEM vendor updates correlation rules, or
be sure your internal team is capable of taking this on.

If you must write and update your own correlation rules, you’ll need to think through the
following for each threat you want to detect:

What would be some event types, and their sequences, that might indicate this scenario?

For example: Someone tries unsuccessfully to log onto the domain controller using the admin account,
and then there’s an unscheduled reboot of the same system.

• Include 1-2 of these in your SIEM test cases and POCs.

Which devices would be in scope for catching a scenario of this type?

• Make sure you add these devices as data sources first.

• Pro-tip: Remember the “pre-step” is to find them. That’s why automated asset discovery is a must-have
for SIEMs..

15
 Step 4

What is your incident response strategy for when these scenarios happen?

• Develop standard operation procedures (SOPs) and train staff. Make sure your SIEM supports built-
documentation for your SOPs.

• Do SIEM alerts include customized guidance, and click-through detail on assets, their owners, contact
info, etc.?

Be wary of any SIEM vendor who cannot show you their event
correlation rules, or explain their methodology for identifying,
correlating, and categorizing events and event sequences. In fact,
their lack of transparency may be hiding the fact that they don’t
know what to look for, and are expecting your team to write, test,
and implement event correlation rules. And no one has time for that.

16
 Step 5:
Consider how to integrate
threat intelligence
Threat intelligence provides valuable These artifacts are singular pieces of evidence and lack
context to SIEM. the full context needed to be considered actionable or
ready-to-use threat intelligence.
As threats continue to evolve over time, your SIEM will
need to be updated to recognize these new threats. A good rule of thumb is: can I act now on this
Most IT security teams don’t have the time or resources information? If the answer is yes, you have actionable,
to research emerging threats on a daily basis, let alone fully operationalized threat intelligence. Threat
develop new rules to detect when they show up in your intelligence should contain all of the characteristics of a
environment. That’s where integrated threat intelligence threat, as well as other analysis to help IT teams defend
plays a huge role themselves from that threat.

What should “actionable” threat Threat intelligence should contain all of the
intelligence include? characteristics of a threat, as well as other analysis to
help IT teams defend themselves from that threat.
Unfortunately, there is a bit of confusion surrounding
how to define threat intelligence. Some vendors would
have you believe that raw indicators of compromise
(IoCs) (e.g. file hashes or IP addresses) constitute threat
intelligence.

17
 Step 5

For example, this includes:

• A summary of the threat

(e.g. impact, severity, etc.)

• Specific software targeted

(e.g. OS, apps, etc.)

• Actions or access needed to exploit the threat

(e.g. command line access)

• Types of network protocols exploited

(e.g. ICMP, SMB, etc.)

• Indicators of compromise (which may include: IP

addresses, URLs, domain names, file hashes and
other artifacts)

• Remediation recommendations (if available,

along with links to patches and other fixes)

18
 Step 5

If your SIEM vendor lacks a dedicated security research team and doesn’t offer
natively integrated threat intelligence, ask them:

• How are new threats detected?

• Whose responsibility is it to keep the SIEM updated?

• How is integration with a threat intelligence provider accomplished?

• Will that add costs to my SIEM deployment?

19
 Step 6:
Automate and orchestrate
security operations
You’ve detected an active threat. Ask your SIEM vendor if they can extend their platform
What happens next? for consolidated threat detection and security
orchestration and automation. Find out which third-
Automation is essential for SIEM success in real-world party apps and IaaS environments they support.
operational environments. If you can’t quickly act on the Additionally, find out if their alerts provide expert
alerts and insights you’re getting from your SIEM, then guidance on how to interpret the threat and how to
despite your best efforts, having that information adds respond to it.
little value.
Remember, speed is an essential ingredient in terms of
Admittedly, the entire security monitoring process can’t containing the damage of a cyberattack and restoring
be automated. That said, there are still opportunities your assets and operations. And because users
for automation and security orchestration to accelerate access corporate data via all types of SaaS apps and
response and streamline the incident response process. environments, you’ll need to make sure you can scale
Your SIEM platform may be able to orchestrate security and extend your SIEM platform to bring in all of these
“playbooks” on your security devices such as Cisco rich data sources.
Umbrella™, or Palo Alto Networks® Next-Generation
Firewall. These playbooks consist of things like having a
SIEM alert trigger an automated rulebase change for a
specific IP block on a Palo Alto firewall.

20
 Summary
Expect more from your SIEM. It should It shouldn’t require more work.
go everywhere your data does.
• Key need: “I need to pass an audit now, I can’t
• Key need: “I want to utilize the cloud, but I don’t afford a months-long deployment or complicated
want to sacrifice my security visibility.” manual integration projects.

• Key feature: Security monitoring for public clouds, • Key feature: Essential security capabilities that
private clouds, cloud-based apps, etc. are already built-in, along with out-of-the-box
compliance reports and extensible integrations
It should tell you what to do now, and why: with dozens of security vendors to deliver security
automation and orchestration.
• Key need: “Real-time alerts and alarms are great,
but if I don’t know what do with them, they just Process Makes Perfect.
become more noise.”
In the next section, we’ll outline the key steps of your
• Key feature: Receive alerts prioritized by threat SIEM evaluation process. After all, when you’re making
severity, automate and orchestrate security an investment decision that can affect your overall
defenses, receive expert guidance on actions to
security and compliance posture, it’s important to have
take, as well as the latest intelligence on emerging
threats and how to mitigate them. a well-documented and disciplined process and keep
all stakeholders informed on your progress.

21
 SIEM evaluation process stages

Phase 1: Initial review Phase 2: Try it in your Phase 3: Final vendor

own environment selection
Key activities: Determine
the set of vendors you’ll Key activities: Develop Key activities: Gather and
review and evaluate, based key evaluation criteria, run analyze all results from
on the criteria we’ve included through test cases to see evaluation assessments and
in this guide along with your to it that the SIEM works as team feedback to determine
business goals. expected and addresses key the right SIEM vendor for
technical requirements and you. Also evaluate subjective
Pro-tip: Choose at least 2-3 satisfies business goals. criteria such as rapport with
vendors that you will spend the vendor team, support
time “kicking the tires” during Pro-tip: Look for vendors hours, and policy.
a proof of concept (POC). Not that offer a free trial so you
all vendors will qualify for an can actually go through the Pro-tip: Include all key
investment of your team’s deployment process before stakeholders in this process
time and attention during an purchase. Design test cases and document key reasons
in-depth technical evaluation. that are as close to your for selecting the chosen
real-world priority needs as vendor. This may come in
possible. Find out how easy handy at renewal time.
it is to go from installation to
insight with the SIEM.

22
 SIEM checklist:
Questions for SIEM vendors
What can I do if I don’t have all the external security technologies in place that can
feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, etc.)?

• Ask during the initial review phase: Any SIEM vendor who assumes you have these tools already
in place likely doesn’t have the breadth of functionality you’ll need for fast answers. Eliminate from
consideration; it’s not worth your time.

• Why is this important? It takes a lot of time, staff, and resources to purchase, install, and configure the
essential security controls to feed your SIEM. You can accelerate this with a SIEM platform that includes
these capabilities.

What is the anticipated mix of licensing costs to consulting and implementing fees?

• Ask during the initial review phase: Find out what the ratio is. If implementation costs 30-50% of the
overall cost of the investment, walk away. Fast.

• Why is this important? This question gets to the heart of how challenging the deployment process will
be. It will also expose if their claims of “out-of-the-box” functionality are truly solid.

23
 How many staff members or outside consultants will I need for responding to SIEM
alerts and managing the system overall?

• Ask during the initial review phase: The answer to this could inform whether or not you’ll need to
outsource SIEM management to an MSSP, or explore some degree of MSSP support.

• Why is this important? If your team can’t realistically respond to alerts in a timely fashion, it may be time
to consider an MSSP to manage your SIEM platform.

How long will it take to go from software install to security insight?

• During the trial/proof of concept (POC) phase: Ask them, and then make them prove it. Document how
long it takes to install the software, detect data sources (is it automated?), pull and analyze log data from
at least three data sources, and start issuing alerts and running reports.

• Why is this important? Speed of detection is the number one success factor for preventing a data
breach.

How many staff members or outside consultants will I need for the integration work?

• During the trial / POC phase: Include at least 1-2 external data sources to pull data from. Document how
many people it takes for the work, and how long it takes (and multiply that by all the other sources you’ll
need).

• Why is this important? Fast integration with your entire ecosystem is a critical factor in providing for a
complete security picture.

24
 Do alerts and alarms provide step-by-step instructions for how to mitigate and
respond to investigations?

• During the trial/POC phase: Recreate an event that you would expect would trigger an alert, and
evaluate how much info is provided to fix the issue.

• Why is this important? Cryptic alerts that leave no indication of what to do slow down incident response
and increase risk.

Bottom line: After thorough evaluation, your final SIEM selection

decision will likely be based on a combination of objective and
subjective criteria such as perceived value, trust and credibility in
the vendor, as well as how easy it is to get started and manage
over time. Good luck and good threat hunting!

25
 Go beyond SIEM capabilities
AlienVault® Unified Security Management® (USM) by AT&T Cybersecurity delivers powerful threat detection,
incident response, and compliance management in one unified platform. It combines all the essential security
capabilities needed for effective security monitoring across your cloud and on-premises environments, including
continuous threat intelligence updates.

Features AlienVault USM Traditional SIEM

Management

Log management

Event management

Event correlation

Reporting

Security monitoring technologies

Asset discovery Built-in $$ (3rd-party product that requires integration)

Network IDS Built-in $$ (3rd-party product that requires integration)

Host IDS Built-in $$ (3rd-party product that requires integration)

File integrity monitoring Built-in $$ (3rd-party product that requires integration)

Cloud monitoring Built-in $$ (3rd-party product that requires integration)

Incident response Built-in $$ (3rd-party product that requires integration)

Endpoint detection and response Built-in $$ (3rd-party product that requires integration)

Vulnerability assessment Built-in $$ (3rd-party product that requires integration)

Additional capabilities

Continuous threat intelligence Built-in $$ (3rd-party product that requires integration)

Unified management console for security

Built-in $$ (3rd-party product that requires integration)
monitoring technologies

This document is intended to include general information for individuals learning about security information and event management (SIEM). Use of names
26 of third party companies in the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity.
 About AT&T Cybersecurity
AT&T Cybersecurity’s edge-to-edge technologies provide phenomenal threat
intelligence, collaborative defense, security without the seams, and solutions
that fit your business. Our unique, collaborative approach integrates best-
of-breed technologies with unrivaled network visibility and actionable threat
intelligence from AT&T Alien Labs researchers, Security Operations Center

AT&T Cybersecurity
analysts, and machine learning – helping to enable our customers around the
globe to anticipate and act on threats to protect their business.

Unified Security Management

Collaborative
Phenomenal Defense Security
Threat Intelligence Without the Seams

Managed Software-Defined
Cybersecurity Security Services Platform AT&T
Consulting Alien Labs

This document is intended to include general information for individuals learning about security information and event management (SIEM). Use of names
of third party companies in the document are for informational purposes only and do not constitute any endorsement by AT&T Cybersecurity.

© 2019 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo and other marks are trademarks and service marks of AT&T Intellectual Property
and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information contained herein is not an
27 offer, commitment, representation or warranty by AT&T and is subject to change. | 14413-051019