Cyber Security
Building a modern security operations centre How to protect your organisation’s information
S By Jason Legge Head of Security Consulting, Huntsman Security
ecurity Information and Event Management (SIEM) technologies are not new, but there remains plenty of misinformation and misunderstanding about how to use them. Critics focus on them being little more than log collector and storage tools, that due to their management overhead, gives little in the way of return on investment (ROI). What these critics fail to acknowledge is that by rethinking how security operations centres (SOCs) operate, SIEM technologies deliver significant operational benefits and efficiencies. Do you know what it takes to deploy a SIEM and upgrade your security to enable proactive threat hunting? By integrating a SIEM into the core of your SOC and re-engineering some of the processes, you can start to improve your cyber assurance and realise a highly favourable ROI. Let’s start with staffing; you might already have a security team looking after firewalls, antivirus products and intrusion prevention systems. That’s a lot of “security systems” to monitor and the addition of a SIEM may just add yet another thing to do. But what if you
18 | Australian Cyber Security Magazine
look at the SIEM from the perspective of a consolidation technology, which merges information from all these systems into a single screen. Instead of going straight to security operations, start talking to your network, server and desktop teams, and maybe even your database team, to see which aspects of security operations would sit more naturally with them. For example, adjusting the rule-set on a firewall is not unlike changing the configuration on a router or core switch. Your network team almost certainly knows all about firewall administration already. Firewalls are simply another networking device. If you can move the operation and management of your firewalls to the networking team, you’ll have freed up the time for your security operations team to focus on threat management and assurance. A second example might be to consider reallocating responsibilities for your antivirus technology to your server and desktop team. That team usually manages the configuration and software build of operating systems, along with software distribution and general systems administration, so adding