<p>No SIEM strategy, platform or service is perfect. Enterprise needs and circumstances change. Providers and offerings evolve. New options arise. Inevitably, many organizations must eventually migrate from their existing SIEMs or SIEM providers to new ones.</p>
<p>Upon deciding a <a href=”https://www.techtarget.com/searchsecurity/tip/SIEM-implementation-steps-and-best-practices”>new SIEM</a> is necessary, the CISO should approach implementation strategically, ensuring important data, rules, playbooks and workflows remain available during and after the transition. A successful and responsible SIEM migration also minimizes disruptions stemming from the discovery of forgotten technical integrations and undocumented use cases. </p>
<section class=”section main-article-chapter” data-menu-title=”Don’t forget the data”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Don’t forget the data</h2>
<p>The lifeblood of a cybersecurity operation is data: data about entities in the environment, data about what those entities are and aren’t supposed to do, data about how those entities behave, data about the cybersecurity infrastructure itself and so on.</p>
<p>Before a SIEM migration, CISOs must lay careful plans to ensure necessary data from the old platform is preserved and usable by the new one. The following data is especially important:</p>
<ul class=”default-list”>
<li><b>Entity behavioral data</b>. A zero-trust environment requires three kinds of data: <a href=”https://www.techtarget.com/searchsecurity/tip/How-to-write-an-information-security-policy-plus-templates”>policy data</a> that dictates which entities are allowed to talk to each other, identity data that determines whether an entity is in fact who or what it claims to be, and behavioral data that shows how entities act in the environment and whether those actions deviate from baseline norms. While not involved in maintaining policy or identity data, the <a href=”https://www.techtarget.com/searchsecurity/tip/Top-SIEM-use-cases-in-the-enterprise”>SIEM is integral to collecting behavioral data</a>. When switching tools or providers, a CISO must ensure the security team can preserve and transfer baseline behavioral data for all entities in the environment.</li>
<li><b>Policy enforcement data</b>. Logs showing security policy enforcement are important to incident investigations, <a href=”https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan”>incident response</a> and after-incident reporting. This data should transfer to the new SIEM platform and remain available during migration. At every step of the transition, it must also be clear to the security team which platform — old or new — is the authoritative source.</li>
<li><b>Compliance-related data</b>. Many organizations are required by law to maintain cybersecurity-relevant log data. For example, power utilities and telecommunications providers must be able to provide evidence that they were, at any given point in time, compliant with specific security requirements in their respective industries. Ensure continuity in compliance-related data collection and confirm that historical data from the old platform will be available after migration — either by ingestion into the new tool or through an archival platform.</li>
</ul>
</section>
<section class=”section main-article-chapter” data-menu-title=”Take custom rules, playbooks and workflows with you”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Take custom rules, playbooks and workflows with you</h2>
<p>If data is the lifeblood of cybersecurity, <a href=”https://www.techtarget.com/searchsecurity/tip/Use-the-CIA-triad-to-shape-security-automation-use-cases”>automation is rapidly becoming its beating heart</a>. Some SIEM automation includes obviously SIEM-specific things, such as — possibly at the behest of another tool or human operator, or possibly based on the SIEM’s native <a href=”https://www.techtarget.com/searchsecurity/tip/Top-10-UEBA-enterprise-use-cases”>user and entity behavior analytics</a> functionality — instituting extra monitoring on a network entity that is acting unusually.</p>
<blockquote class=”main-article-pullquote”>
<div class=”main-article-pullquote-inner”>
<figure>
If data is the lifeblood of cybersecurity, automation is rapidly becoming its beating heart.
</figure>
<figcaption>
<strong>John Burke</strong>Research analyst and CTO, Nemertes Research
</figcaption>
<i class=”icon” data-icon=”z”></i>
</div>
</blockquote>
<p>Less obvio
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: