How to Reduce SIEM Noise and Respond More Effectively to Security Even

How to Reduce SIEM Noise and Respond More Effectively to Security Events

In principle, security information and event management (SIEM) sound like the solution to the challenge of detecting cyber threats. SIEM collects log files and other security data from across the enterprise and stores it in a central database. The system then correlates and analyzes the data to identify abnormal patterns that could suggest a vulnerability, threat, or active incident.

SIEM unifies data from disparate systems and single-purpose security solutions that can only recognize and understand certain data types. All security data can be analyzed and cross-referenced from a single interface, enabling human IT analysts to make better decisions. Alerts and reports are generated automatically so that the IT team can respond quickly to anomalous conditions.

Person using laptop displaying code next to a desktop displaying a password

Challenges of SIEM

Despite the benefits, SIEM is not without challenges. “Garbage in, garbage out” applies to SIEM, so significant time must be spent by IT specialists ensuring the right data is collected from each source before being aggregated, normalized, and correlated. If a SIEM platform is not properly tuned, the organization will not get the desired return on investment.

Worse, the IT team will be overwhelmed with false positives and innocuous events, creating “alert fatigue” and making it more difficult to spot an active breach. Various studies have found that more than 40 percent of alerts are false positives, and two-thirds are redundant. However, few organizations without IT specialists know their environment well enough to classify SIEM alerts.

Magnifying class sitting n keyboard of a laptop

Turn Down the Volume

SIEM tuning involves setting up the proper audit policies to collect the right data, and filtering the data before analysis. Without it, 80 percent of the data analyzed will be “noise.” For example, a port scan against a public-facing resource is an event of negligible importance. However, a port scan from an internal secure zone detected by an IT employee can indicate an active breach.

By selectively configuring the audit policies, organizations can prevent systems from recording events that have limited relevance. This can be accomplished with a professional IT consultant. For example, the Audit Object Access policy in Windows can be noisy if everything is turned on. However, the Advanced settings allow administrators to select specific folders, subfolders and even files, and specific types of actions performed on those objects. By narrowing the policy settings, administrators can reduce noise, gain greater visibility, and even improve the server’s performance — all of which an IT network specialist can set up.

Person using their fingerprint to unlock a tablet

IT Solutions for Your Business

Firewalls can also be very noisy. Administrators should set the firewall logs to “informational” and not “debug” to avoid flooding the SIEM with irrelevant data. Individual vendors also have guides for tuning their products.

If it’s not possible to change the logging or auditing policy on a server or device, the SIEM itself can filter the data before it is stored. In some cases, the data can be archived to secondary storage before it is filtered, or the unused data routed to a secondary system. Correlation rules must also be tuned to make the SIEM work more intelligently, which an IT employee can help you do.

Man and woman IT technicians in a server room holding a tablet

How DeSeMa Can Help

Understanding how to fine-tune audit policies and filter data is a matter of reading product documentation. Knowing what data to capture requires an understanding of current threats and cyberattack chains, as well as specific risks to your environment. IT teams must stay on top of the latest threat intelligence and any new vulnerabilities across the attack surface.

DeSeMa specializes in mapping the data moving through your environment to classify alerts with proper context so that what you see is relevant and actionable. IT environments and the threats landscape are constantly changing, so a thorough review of your environment by one of our IT specialists can help ensure that the right systems and devices are being monitored and the right data collected.

We also specialize in tuning correlation rules so that multiple, otherwise innocuous alerts can be identified and raised as an actionable concern. Our IT consultants and specialists can help ensure that you've set the proper behavioral baselines and are monitoring the right behaviors so that anomalous events can be identified.

How to Reduce SIEM Noise and Respond More Effectively to Security Events Infographic

Get A Consultation

SIEM helps maximize the effectiveness of security controls and enables IT teams to become more proactive and efficient when responding to security threats. Without proper tuning, however, SIEM tends to generate a lot of noise and create alerts for events that aren’t serious. Let DeSeMa help you tune your SIEM to weed out irrelevant and duplicative alerts and provide the context needed to investigate actual threats. Call one of our IT specialists for a consultation today!