Don't Just Tune Your SIEM, Retune It

Don't Just Tune Your SIEM, Retune It
Your SIEM isn't a set-it-and-forget-it proposition. It's time for a spring cleaning.

Any system information and event management (SIEM) system will require a good deal of customization out of the box before the organization deploying it will see useful data. Once set up, though, the SIEM quickly becomes an invaluable tool in the engineer's toolbox for identifying risks, trends, malicious activity, and even simple misconfigurations. But how many organizations are treating the SIEM as a static solution and simply "setting and forgetting"?


The reality is that our environments are constantly evolving: data types, endpoints, subnets, compliance requirements, technology and business risk, and other variables we draw upon when we set up the SIEM initially are all dynamic. Of course, in larger organizations there are likely to be teams dedicated to maintaining the SIEM that remain aware of these changes and adjust as necessary. But in smaller organizations, we tend to get bogged down in day-to-day activities that prevent us from capturing all these changes. After all, the shortage of cybersecurity staff is well known and shows no signing of easing. Over time, alerts become stale and incomplete if these changes are neglected, eventually leading to the infamous alert fatigue.


If you find yourself in the latter category, consider treating your SIEM updates like a spring cleaning exercise this year — one or two long days dedicated to reviewing all your alerts, rules, variables, and other criteria in the SIEM to see what is still relevant and what's not, what's changed, and consider some of the following items:


Have any application updates for the SIEM been released but not applied? Hopefully not, but take this opportunity to confirm and patch your sy ..