Part 2: Setting-up the technical architecture of your SIEM – common obstacles and best practices to overcome them

This means, that your SIEM is worth nothing without the correct hardware and software installation.

However, when it comes to setting-up the technical architecture of a SIEM, we have identified several obstacles:

1. Lack of quality in the Configuration Management Database (CMDB)
2. Inappropriate testing before onboarding the productive servers
3. Loose commitment and budget constraints.

In the course of this article, we will provide you best practices on how to overcome these common issues during your SOC/SIEM project.

1. A high-quality CMDB is the foundation for properly protecting your assets from attacks.

It is obvious, that a high-quality CMDB is key to successfully onboard your assets in the SIEM. However, often the CMDB’s quality is not as high as desired or required. We have seen multiple projects, where the initially provided CMDB extract contains most IT assets. However, as the project continues, essential assets are not taken into account and are not listed in the CMDB. Typically, shared infrastructure components are regularly missing from databases.

Not having all assets on the agenda from the beginning may lead to serious project delays. These delays have their most devastating effects on the implementation of use cases, especially when deadlines must be held with governmental authorities. Imagine not monitoring your firewalls in the SIEM, simply because they are shared with other clients of your IT service provider and hence may not appear in your CMDB: this is something you definitely want to avoid. Our experience suggests focusing on the following core topics:

• Take your CMDB as the foundation of any efficient cybersecurity hygiene.
• However, keep in mind that further important assets are among your IT infrastructure and thoroughly analyze every configuration item in your CMDB.

2. Testing is the most obvious best practice in any IT project but is frequently neglected in SOC/SIEM projects.

Testing is still a best practice that easily gets neglected when approaching your deadline. However, only proper testing ensures that IT operations keep running smoothly with the new SIEM components and can be used as insurance when it comes to IT audits. Furthermore, it can significantly increase the acceptance of the SIEM within your organization – which is a critical success factor for your project. From our experience, the following points are most important:

• Thoroughly test the key components of your SIEM for all parties – the IT service provider, the SOC provider and your internal IT units.
• Comply with the internal testing standards of all parties.
• Properly document the tests and do not forget to share the test results among all parties involved in the testing.

3. Budget constraints hinder you from properly and timely setting-up the relevant hardware.

Budget is the ultimate killer of your SOC/SIEM project. Especially with the number of parties involved in the project. You must consider budget constraints from the very beginning of your project. Your SOC provider needs to be contractually obliged to provide end-to-end SOC services – including the set-up of the hardware components. However, you must also ensure that your IT service provider provides the resources required to install all relevant components and that their work package is as well budgeted from the beginning. Otherwise you’ll get lost in the formulation of unbudgeted requests for services. Finally, ensure that your internal resources in relevant IT units have enough capacity to support the project and get the buy-in of the heads of affected departments – there is nothing more valuable than supportive internal resources that also have the time to contribute to the project.

All this is especially important in the context of rapidly changing IT architectures. Due to an increasing virtualization degree of servers and concepts like Software-as-a-Service (SaaS), IT architecture components change more frequently. This might cause that, simply due to an evolving IT architecture, an ever-smaller share of your overall IT architecture is connected to the SIEM. Thus, it is inevitable to have a continuous onboarding of new IT architecture components contractually arranged and budgeted with all stakeholders. Ultimately, you also must anticipate, how your SIEM will evolve in the future: Should your entire IT architecture be monitored in the SIEM or do you wish focus on core systems only (probably to save licensing and operational costs)? It is highly recommended to also have these aspects covered in your contract negotiations.

Considering these best practices, you can set the baseline for a successful implementation of your SIEM’s technical architecture.

Get in contact to talk  about anything related to your SIEM use cases.

Based on our diverse project experiences, Capgemini Invent has developed a tested framework for SIEM/SOC projects that helps our clients make their SIEM/SOC project a success.