For the past two years, ORION has been working with community members on a proof of concept (PoC) for a shared Security Information and Event Management (SIEM) solution. Leveraging ORION’s in-house platform, the ORION Shared SIEM PoC offered a fully hosted multitenant SIEM to track security vulnerabilities specific to an organization’s infrastructure and controls.
Developing the ORION Shared SIEM PoC
With support from CANARIE and the participation of ORION community members, we installed and configured the SIEM appliance. The solution was tested across a wide variety of use-cases ranging from account theft and misuse to infected host scenarios. With the learnings gained from these tests, as well as the support and collaboration of three community security teams, ORION gained valuable insight toward the eventual development of a new service for the community. We were able to assess the capabilities and investments that would be required to fully develop and deliver such a service, together with the value and benefit for ORION constituents.
Helping the ORION Community
The ORION Shared SIEM PoC has helped ORION to detect and manage threats to the NREN by enabling real-time monitoring of all security incidents on the network, as well as producing correlated and triaged alerts to notify responsible security engineers in a timely manner.
The Shared SIEM PoC participants have benefitted through better insight into the event patterns and methods of response, ultimately allowing them to improve their cybersecurity controls and protect valuable time, resources, and assets from digital threats.
Working closely with ORION, we have been collaborating with members of the higher-education sector to help guide the direction of a revitalized service-offering that is tailored to suit the unique needs of the higher-education community. All of us have a SIEM identified in our cybersecurity assessments, but very few of us can afford or support the solutions currently available. We wanted to figure out what common solutions were possible with the aim to reduce support or solution costs, as well as improve our overall maturity and understanding of SIEM. The Proof of Concept (PoC) has enabled us to advance on these goals by detecting and addressing several vulnerabilities to Niagara College’s cybersecurity and by creating new insights into security-event and threat-detection challenges and solutions. As a result, the PoC has helped reform Niagara College’s medium and long-term plans to strengthen our community’s cybersecurity posture.
What we learned
The Shared SIEM PoC opened the door to better understand the potential use of a Shared SIEM on a broader scale, and the value, challenges, and costs associated with it. In addition to learning the benefits and real-world effectiveness of a Shared SIEM for threat detection and security management, ORION recognized three areas for concentrated attention and future development:
- Configuration: Fine-tuning the system to reduce false positives is complex and onerous, requiring the active participation of all assigned technical teams.
- Platform: The SIEM platform’s value comes from its potential SOC functions, which can triage, correlate, investigate and escalate events. The platform itself is not as valuable as the SOC functions managing it.
- Infrastructure: The vast amounts of data processing and storage infrastructure required by the platform mean that infrastructure costs and management must be properly regulated.
What’s next for Shared SIEM
The ORION Shared SIEM PoC has proven valuable. We will continue to learn, listen and collaborate with the community to establish new and needed services to strengthen the collective cybersecurity posture of Ontario’s research, education and innovation community.
For more information, please contact communitydev@orion.on.ca.