Find out why the key question to ask your SIEM provider is: Will I have access to all of my SIEM data?
6/26/2019
SIEM tools can be a crucial part of securing your organization’s network. And a managed SIEM service can be an efficient and affordable way to utilize SIEM security.
But here’s an important question that you’ll want to ask your SIEM as a Service provider: do I have access to my data?
What Is SIEM Data?
We’ve talked about this in our post on managed SIEM services, but SIEM stands for Security Information Event Management.
SIEM platforms consolidate logs from all the data collection points from your entire environment and place them in one central location where they can be monitored for anomalous behavior.
Of course, that means that all their data has to go somewhere.
Where Does Your SIEM Data Go?
Where does the data get collected? Well, that largely depends on whether you are using a cloud-based SIEM, or one that is installed on-prem.
If you’re using a managed SIEM service for a SIEM that’s installed on-prem, they’ll be consolidating your data locally, on the premises, and then sending reports to their location for monitoring and management.
In this case, it’s pretty obvious that you have access to your data, as it stays on-site. But what if your SIEM as a Service (SaaS) provider uses a cloud-based SIEM?
Well, that means they’re sending your data off-site, so it can be monitored.
Is Moving SIEM Data Off-Site Safe?
Yes. But…
There are Pros & Cons to using a cloud-based managed SIEM service. One of the cons… there are no doubts about it: there are risks involved when you transmit data.
That being said, while some organizations feel safer by keeping the SIEM software on-prem, there are many ways to reliably and safely transmit data to a cloud-based SIEM without incursion.
“In flight” data can be vulnerable if the right precautions aren’t taken, but the risk is small if managed correctly.
If you use a managed SIEM service, know how often the SaaS provider updates their systems and integrations, and above all else make sure they have great encryption practices for your logs… whether they are in flight or at rest.
Do I Still Own My SIEM Data Once It’s Sent?
Your data is your data, whether you use an on-prem SIEM or one that is based on the cloud.
A SIEM provider doesn’t claim ownership of your data, they just want to monitor your logs and manage any threats that should arise.
That being said, just because you own your data doesn’t always mean you’ll have access to it whenever you want.
What Data Access Do I Get With A Managed SIEM Service?
What data can you access? It depends entirely on your SaaS provider.
Some managed SIEM services don’t give you any access to your raw data. Any event logs are consolidated for reporting, and then you get the reports once the reports are completed.
You may get limited, time-delayed access to your logs. The data is sent to the SaaS provider, they work up their reports, and then you’ll get access to your logs after the reports are delivered.
And then there are some SIEM providers who will give you real-time data access whenever you need it. The best will give you interactive dashboards so you can see your logs yourself whenever you want, allowing your in-house IT team to be as informed as your offsite cybersecurity provider.
Our two cents: you should have access to it all. And some SIEM as a Service providers will make sure that you get it. Make sure you properly vet your managed SIEM service provider and ask them what access you’ll get to your data… before you sign on the dotted line.
Why Do I Even Need To See My Data?
This is a pretty good question: if you’re hiring a managed SIEM service to monitor and manage all your raw data logs and present reports that are more easily understood, why would you need access to those logs anyway?
Well, there are a few reasons you may want to go back to the data:
To Check The Logs That Weren’t Reported
Managed SIEM services are great at monitoring for anomalous activity, proactively stopping the incursion before it compromises your system, and then reporting that activity back to you.
At least, they should be.
Here’s the truth: your SIEM provider can provide superior protection against threats… if they’re taking the time to understand your organization’s unique fingerprint. How you do business, who you do business with, and what activity patterns are normal for your.
A real business partner will take the time to uncover your business’ data fingerprint.
If they don’t take the time to meet with you regularly and really thoroughly understand what your logs should look like, they may miss odd behavior in the logs.
Some logs that aren’t being reported on may end up being malicious. And you don’t want that malicious activity to go completely undetected.
If you suspect that your SIEM provider may be missing some threats, you’ll want to at least have the ability to go back and double-check some logs yourself, to look for activity that exists outside your normal data patterns.
To Keep An Eye On Integration Delays
One of the possible weaknesses of a SIEM solution are integrations.
The software that makes up your system, from your firewalls and servers to your CRM, is constantly updating. Which means that the way they integrate with your SIEM should also be updating.
The older your software, and the older your software integrations, the more compromised your data.
If your SIEM provider isn’t giving you regular updates on how your integrations are being managed and updated, you may want to double-check the logs for those software platforms in question, to make sure nothing looks amiss.
To Proactively Tune Your Reporting
A report from a managed SIEM service is only as good as the data that makes up the report. If you can’t trust the report to be accurately sifting through the right information, looking for the right kind of activity… then it’s not worth the paper it’s printed on. (If you print out your reports, that is.)
It goes back to the idea of understanding your business’ fingerprint. If you can access your data, you can see what’s normal for you and what isn’t. You can analyze that against how you do business.
And it can help you understand how to keep an eye out for the right kind of activity to report.
Your managed SIEM service provider should be constantly working with you to proactively tune your reporting based on your current active data patterns. If they aren’t, it may be worth the time to put your eyeballs on your data logs to make sure nothing is amiss that you should be reporting on in the future.
A Managed SIEM Solution You Can Trust
At BitLyft Cybersecurity, you always have access to your data. We provide customized dashboards that allow you to access all of your logs, in real time, for any reason.
We love transparency, and our most important priority is the security of your organization’s sensitive data, your employees’ sensitive data, and your clients’ sensitive data.
BitLyft Cybersecurity will meet with your team regularly to make sure we stay on top of your organization’s unique data fingerprint and proactively seek out potential malicious activity. And we always stay on top of your integrations.
Request a demo today, and let us show you what we can do.
