Tel Aviv Stock Exchange Chief Information Security Officer (CISO), Gil Shua, understands the importance of optimizing the signal-to-noise ratio in their security information event management (SIEM) system. Shua’s goal is to minimize the amount of noise and prioritize actionable content in order to quickly identify and address potential security issues.
Having worked at the Tel Aviv Stock Exchange for over a decade, Shua has witnessed the constant struggle for data resources in order to maximize the capabilities of their SIEM. With most SIEM systems, there is often a lot of noise and false positives, which can lead to misconfigurations and unnecessary work for the security operations center (SOC) team. This not only decreases productivity but also hampers the effectiveness of the SIEM.
To address this issue, Shua and his team focus on writing rules for the SIEM to handle incoming data. However, the process of creating these rules can be time-consuming and complex. Before rules can be written, the SOC team must first understand the data structure, identify relevant fields, analyze exceptions, and perform quality assurance and testing. Depending on the complexity, this process can take anywhere from a few hours to several days.
Shua highlights the importance of having effective rules in place to protect against relevant attacks and ensuring that the SIEM receives the necessary information from reporting systems to trigger these rules. The recent implementation of CardinalOps’ platform has significantly reduced the time spent on writing rules at the Tel Aviv Stock Exchange. With the new technology, the focus has shifted to implementing and testing rules, rather than the lengthy process of rule creation.
Despite the effort and resources required to maintain a SIEM, Shua acknowledges that some attacks may still go unnoticed due to a lack of visibility or matching rules. He believes that future solutions should incorporate automation capabilities for autonomous rule creation and response. This would streamline the process and improve the effectiveness of SIEM systems.
In addition to optimizing rule creation, Shua emphasizes the need for SIEMs to become more efficient in handling and analyzing data from various sources. As organizations gather data in different formats, it is crucial to make adjustments and ensure proper change management. Failing to do so can result in missed security events and vulnerabilities.
In conclusion, Gil Shua, CISO of the Tel Aviv Stock Exchange, recognizes the importance of maintaining an optimal signal-to-noise ratio in their SIEM system. By minimizing noise and focusing on actionable content, the SOC team can effectively address security issues. While the process of rule creation can be time-consuming, advancements in technology, such as CardinalOps’ platform, have helped streamline the process. Shua believes that future SIEM solutions should incorporate automation capabilities for improved efficiency. Additionally, organizations must adapt their SIEM systems to handle data in different formats and ensure proper change management to avoid missing critical security events.