PwC SIEM Health Check

21 October, 2019

Qualitative analysis of SIEM systems

The SIEM Health Check service consists of a comprehensive analysis of the current state of the implementation of the client’s SIEM solution. The service is vendor agnostic – it can be applied to any SIEM product. As part of the service, a set of dedicated checks is performed.

Checks are grouped into following areas:

  • Architecture – assess if the current architecture of the SIEM system reflects vendor’s requirements and industry best practices, check if it meets client’s needs and PwC recommendations.
  • Data Sources – assess the completeness and quality of data sources currently connected to the SIEM and the procedures related to the tracking of the data sources statuses.
  • Functional Configuration – assess the quality of the functional configuration of the SIEM.
  • License and current usage – assess the operational usefulness of the current state of SIEM and the status of the license

Service purpose and benefits

The purpose of the SIEM Health Check service is to provide knowledge about the quality of the existing implementation of SIEM system and help to understand what areas are to be improved.

Specifically, the service covers following aspects:

  • Identification of potential issues and bottlenecks related to the architecture, evaluation of their impact on the system and recommendation how to resolve them.
  • Assessment of current coverage of data sources, identification of potential issues related to it (for example improper data coverage, loss of log events, improper data filtering) and recommendation how to resolve them.
  • Assessment of the functional configuration of the SIEM. Evaluation of the quality of currently implemented use cases (correlation rules and other detection mechanisms), reports, dashboards, alerts et cetera, and recommendation how to resolve potential issues.
  • Assessment of the current usage of SIEM system across the organization in order to help to understand how it is used by SOC, security department and other potential stakeholders.
  • Evaluation of current license usage and identification whether SIEM costs correspond to  value that SIEM logs bring to SOC operations.

Engagement outcomes

As a result of the service a comprehensive report is provided consisting the summary of performed checks, conclusions and recommendations.

The checks

Architecture

The goal of these checks is to assess of the current architecture of the SIEM system. Specifically, checks include the analysis of:

  1. Overall SIEM architecture.
  2. Design and the implementation of the core system components.
  3. Design and the implementation of the data collection layer components of the system.
  4. Performance of the SIEM system components.
  5. Design and the implementation of the backup process.
  6. Configuration of the communication between SIEM components.
  7. SIEM components updates availability
  8. Logs of the SIEM system components in order to identify any architecture-related issues.

Data sources

The goal of these checks is to assess the completeness and quality of data sources currently connected to the SIEM. Specifically, checks include:

  1. Evaluation if the Master Log Requirement (MLR) document is already defined/implemented.
  2. Evaluation if the list of most valuable IT assets is already defined and maintained (so called “Crown Jewel” assets, SOX, ICOFR and GDPR related assets).
  3. Analysis of audit logs configuration on data sources.
  4. Analysis of event filtering in terms of the license usage
  5. Analysis of data sources tracking process.
  6. Analysis of additional SIEM data feeds (for example blacklists with TOR IP addresses, threat intelligence feeds).
  7. Analysis of custom data source parsers and identification of log parsing issues.
  8. Review of logs of the SIEM system components in order to identify any data sources-related issues.

Functional configuration

The goal of these checks is to assess to quality of the functional configuration of the SIEM. Specifically, checks include:

  1. Analysis of currently implemented use cases/correlation rules.
  2. Analysis of statistics for the currently implemented use cases.
  3. Evaluation of the quality and performance of currently implemented dashboards.
  4. Evaluation of the quality and performance of currently implemented reports.
  5. Evaluation if there are external threat intelligence feeds or other custom lists already integrated in order to enrich the SIEM content.
  6. Evaluation if there is an integration with any of customer’s third-party systems, for example CMDB, ticketing systems.

License and current usage

The goal of these checks is to assess the operational usefulness of the current state of SIEM and the license usage. Specifically, checks include:

  1. Analysis of SIEM solution usage on a daily basis.
  2. Evaluation if there are IT incidents raised based on information generated by the SIEM solution.
  3. Analysis of purchased SIEM license/subscription.
Follow us