Ben Harrison, Director SOC and Security Services at Cygilant and Jake McCabe, CISSP, Presales Director at LogPoint discuss why SIEM enrichment is essential to cybersecurity and how it improves your SOC.
A mountain of data doesn’t do businesses any good unless it is put to good use. This is why data enrichment is essential.
Enriching data adds essential context that helps businesses better understand their security posture. For example, log data can be cryptic because it’s not intended to be particularly helpful on its own. However, if a log references an IP address, it might be helpful to know more information about it. Does it have a fully qualified domain name? Is it a known good IP address or part of a botnet? These are the types of contextual clues businesses can use to secure their environment.
The SIEM enrichment process takes data from different sources and correlates it. A modern SIEM is able to enrich data at the point of ingestion to append additional metadata to logs, really important for ephemeral data, and also at the time of query. If there is a type of correlation that needs to be drawn between multiple data sources, you should also be able to do this dynamically.
A modern SIEM does the simple, and sometimes complex, enrichment that is time-consuming for humans. It also performs the repetitive steps that a SOC analyst would normally do automatically. To refer back to our earlier log data example, SIEMs help SOC analysts know more information without having to dig deeper to find out the domain that corresponds to the IP address or what is the full username. Not only does this help during an investigation, enriched data can also help SOCs do more complex and sophisticated analytics.
- Doing the Basics Well
- Demonstrable Customer Security Value
- Frameworks & MITRE ATT&CK
- Plan Your Use Cases
- Process, Process, Process
- Data is King