Deploying a SIEM requires strategic planning. When deciding on a deployment, an organization must consider the level of risk it is willing to assume, what its security priorities are, and which use cases to implement. From there, your security operations team must thoughtfully identify their inputs — the data the SIEM solution will gather — before rolling out anything. Otherwise, you won’t obtain your desired outputs to identify high-fidelity alerts to act on.
While there’s a wide range of security data your team can consider, the scope of data your SIEM gathers must ladder up to the use cases and security objectives your team has established. Ask yourself two key questions:
- What data sources contain the information necessary to fill the use cases identified by your organization?
- Where do these data sources live? Are they in the cloud, on premises, or in a secured subnet?
The answers will help your security operations team determine what data sources they need to use and how to transfer the data to the cloud securely. Here are a few common data types a SIEM can ingest:
- Firewall/proxy logs
- Vulnerability data
- Data from other network security products
- Network appliance logs
- Endpoint security logs
- Threat intelligence feeds
- Netflow data
- OS logs
In addition to identifying the right data sources, it’s also important to understand how the data transmits to a SIEM such as Devo Security Operations. A SIEM can either pull in the data or the sources can push the data to the SIEM. Regardless of the method, it’s critical that the data maintains its confidentiality, integrity and availability — the CIA triad. Otherwise, security operations cannot rely on the data.
This is where Devo Relay plays an important role. We know our customers need an efficient and secure way to forward data to the Devo Platform. Some customers also need to prevent the transmission of certain types of data to the Devo Platform, or they need to mask some sensitive information. Relay enables end users to forward all selected data sources — efficiently and securely — to the Devo Platform, while also being able to tag, filter, buffer, mask and compress the data. This enables organizations to minimize network bandwidth requirements, achieve resilience against network infrastructure risks, and ensure data transfers reliably.
Here’s how Devo Relay facilitates securing your data:
- Data confidentiality: Data is encrypted between Devo Relay and the Devo Platform during transmission. Data sent to Devo Relay also can be encrypted when the data source is allowed and required by the organization. You also can implement password authentication requirements and manage configurations with role-based access control. This protects the data from unintentional, unlawful or unauthorized access and significantly reduces your security risks. It also plays a critical role in maintaining compliance with regulations — such as GDPR — which may require masking sensitive data before transferring it.
- Data integrity: Once Devo Relay sends data to the Devo Platform, Devo maintains the overall accuracy, completeness and consistency of transmitted data. It does this by encrypting the data, writing it to storage in its raw format, and never modifying the data in storage. This enables your security analysts and automated analysis to generate accurate insights in a highly efficient manner.
- Data availability: Devo Relay uses its buffering capabilities and high-availability support to ensure data received is also accessible in the Devo Platform, regardless of unexpected network infrastructure challenges. This provides availability of all data in the SIEM — no dropped packets or missing data. Without full data availability, data insights may be incomplete or inaccurate, resulting in overlooked security risks.
The ability to keep data secure and confidential is a critical step before you can use it to detect and respond to suspicious behavior and high-fidelity alerts. Using the foundational security principle of the CIA triad, Devo Relay provides a mechanism to ensure all relevant data is securely transmitted to the Devo Platform while providing fault-tolerance capabilities for unexpected issues. Your security analysts will have confidence in their data to protect the organization from known and unknown risks.
Learn how to use Devo Relay to securely transmit data to the Devo Platform in this overview.