Securing business data

Blog Item

SIEM – the real truth

Cyber Security


SIEM – the real truth

Which compliance and operational frameworks actually require me to run a SIEM? When you look at the fine print there is no direct requirement to have a SIEM installed, although the output a SIEM solution does meet a number of the compliance controls.

So Yes, in a regulated industry I need a SIEM, or more accurately there are distinct benefits of running a SIEM tool!

What about if I am not in a regulated industry do I need a SIEM. Well this is a decision I cannot make for you. There are a number of factors that one should consider – do you have a lot of PII info, do you process data on behalf of your clients, do you have valuable IP, in the event of a data breach how much reputational risk can your business afford and on and on.

The advantages of running a SIEM tool are numerous and I am not here to sell a SIEM tool, in fact I’d like to discuss the subsequent challenges of operating a SIEM tool and this experience has been learned, in some cases, the hard way.

I run a number of Managed Security Services at CNS Group and one of the products in the portfolio is a ‘Detect and Respond’ service. This is a combination of people (security analysts providing real time review of alarms and events), process (how to analyse, prioritise, notify and remediate) and technology (the tools underpinning what the people do and how they do it).

What I can be 100% sure of is there is no 1 piece of technology that can replace the human element of monitoring. Change in a technical environment is constant and therefore the change in the monitoring tools will be so complex that it will be cost prohibitive to attempt it. Yes, AI and machine learning systems are maturing in the market place. Yes, they can be very effective. However, ask yourself one question – will your AI tool know the business criticality of a system to make the correct decision as to what should happen next? I didn’t think so.

So, in a few paragraphs there is constant change in an IT environment, people are still fundamental to act as decision makers and those people require robust processes and procedures to follow.

And yes, there is more!

Over time and deploying manged services into many environments we have learnt an awful lot. Today, the surprises are minimal, and only because “we have been there and done that”. For an organisation looking to implement a SIEM tool as part of a solution then perhaps you should think about some of the following questions and be honest in your answers.

  • How much raw log data storage do you need?
  • Do you know your total eps?
  • What’s your storage retention period?
  • How do you backup?
  • Do you log ‘everything’ from’ everything’?


  • What is a security event?
  • How long do you keep it?
  • How long do you keep security events for in a searchable format?
  • How do you know what event ID’s relate to a security category or categories?


  • How do you manage normalising the many different log formats into a single format?
  • How do you manage the changes following replaced equipment and updates?
  • How do you know what data in the raw log to explicitly pull through to normalise the data?


  • What parameters should be used to trigger an alarm in your environment?
  • How do you distinguish between a false positive and an actual alarm?
  • How do you prioritise an alarm?
  • How do you remove false positive alarms without impacting event correlation?


  • Will alarms be reviewed in real-time?
  • Will this individual or individuals be responsible for other tasks alongside monitoring?
  • How do you search for historic IOC’s?

The above is just a sample of operational considerations of a SIEM solution to be effective in your organisation.

As I have mentioned CNS Group operate a number on Managed Security Services with a ‘Detect and Respond’ service being one of them. The operational questions above do not go away, they are transferred to us and through our experience of managing SIEM solutions deployed within our clients’ environments we know what needs to be done, how it is done and critically important the correctly skilled individuals to solely perform those tasks.

If you do not have a dedicated cyber security team consisting of trained security analysts and cyber security engineers underpinned by a comprehensive Incident Management process, then perhaps ‘doing it in-house’ might not necessarily be the best option.

CNS Group Manged Security Services

CNS Group are specialists in the identification and proactive protection through their Managed Security Services and provide consultancy services to help organisations understand the ever-changing cyber security landscape.

If you would like to know more about who we can protect your business form the threats that exist out there CLICK HERE and one of our experts will be in touch to discuss your concerns.

Author: Mike Carr, Head of Services at CNS Group

LinkedIn: If you would like to connect with Mike on LinkedIn, CLICK HERE

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere