How to identify when youâve lost control of your SIEM (and how to rein it back in)
– Dan Whalen
The first step to identifying when youâve lost control of your SIEM is to pay attention to your data sources. Your SIEM can only monitor as much as the sources it is ingesting. If youâve made changes to your environment or added new sources, you could easily start receiving more events than you can track, which can lead to significantly diminishing returns in your SIEMâs ability to detect threats. Next, take a close look at your rule base. Are the rules powered by your technology partner or written in-house. Outdated rule bases can fail to detect threats, waste time, and more importantly, create thousands of false positives. If youâre not sure whether your rule base is up to date, consider working with a partner that specializes in SIEM or even writing your own rules in-house. Similarly, examine your data retention policy and determine whether your SIEM cellar is configured to hold enough data to ensure accurate security investigations. Failing to do this can result in a system that is so far behind that compliance and other audits become virtually impossible. Finally, evaluate whether your system is connected to a larger security architecture. Without a holistic view of your data, itâs increasingly
Link: https://expel.com/blog/how-to-identify-when-youve-lost-control-of-your-siem/