Does CMMC Require a SIEM?
If you're reading this, you're probably a DOD contractor preparing for CMMC. I'm guessing you have just about as many questions as the rest of us do about CMMC.
I've read through all of the CMMC capabilities and processes and they don’t specifically state that a SIEM (Security Information and Event Management) system is required. However, from the sounds of some of the requirements, it sounds an awful lot like they're saying "SIEM" without saying "SIEM," if you know what I mean.
What is a SIEM?
If you're not already familiar with a SIEM, it's a system that you send your logs to (operating system logs, network device logs, firewall logs, etc.), and it analyzes them, sends out alerts, and allows you to create reports.
A SIEM is the only way to analyze system logs properly. Within CMMC, once we get to level three, log collection and analysis start to reveal themselves. For example, AU.3.048 says you should collect your audit logs into one or more central repositories. That sounds like a SIEM to me.
Then AU3.051 talks about correlating audit log review, analysis, and report on audit logs collectively. The keyword there is "collectively" because without analyzing all the logs in a centralized manner, you will have a hard time correlating events from various systems. Again, it sounds like a SIEM to me!
At this point, I see smoke, and where there’s smoke, there's fire. Which, in this case, means an SIEM solution. So the next question is, what are my options when it comes to a SIEM solution?
3 Options for SIEM Solutions for CMMC
You have three options when looking for SIEM solutions: purchase, subscribe or build. There are advantages and disadvantages to each option based on your budget and requirements.
Option 1: Purchase a Commercial SIEM Solution
Purchasing a commercial SIEM can be hit-and-miss, to be honest. I say this because you have to vet the product and make sure it will do everything you need. After all, once you invest capital into the product, you're stuck with it unless you don't mind wasting money.
You must purchase training and spend the time necessary to train on the product, so your team can efficiently manage the platform. There will also be an annual support agreement to budget for and be careful of limitations of these products, such as limits on the amount of data they will process in a given time period. As your environment grows, you may need to consider the costs of upgrading the SIEM to support the additional data from new systems.
Pros of a Commercial SIEM:
There are lots of vendors to choose from
It's less costly than a SIEM service (most of the time)
Cons of a Commercial SIEM:
Your internal team must manage the system
You'll need to provide compute resources to host it on
Training can be expensive and extensive
Option 2: Subscribe to SIEM-as-a-Service
SIEM-as-a-service is the easiest to get up and running. Some benefits of this are that there are usually no up-front costs, and it is a month-to-month operational expenditure. Since this is a hosted service, you won't need to provide compute resources, so you're not looking at any hardware upgrades to support it.
Another nice thing is that the vendor team will manage the system and provide you with reports and alerts, which means you won't need the level of training with a commercial SIEM product. The downside is that these services are usually more expensive than a commercial SIEM solution, but that may not be true if you hire personnel to manage a commercial SIEM product.
The last thing to consider is that you're sending log data offsite, so you'll want to ensure you have adequate bandwidth. You'll also want to verify how the vendor is storing the data and that they are following security best practices since they are housing some of your sensitive data.
Pros of SIEM-as-a-Service
You don't need to provide computing resources
Your internal team doesn't manage the system
Cons of SIEM-as-a-Service
It's usually the most expensive option
Added risk by sending your log data off-site
Option 3: Deploy and Manage an Open Source SIEM
An open-source SIEM solution is going to be the most cost-effective SIEM solution. However, you must provide computing resources and people to manage the solution, just as you do with a commercial product. The key to going with open-source is oftentimes convincing executives that it's a sound decision.
To do this, you'll need to find an open-source project that's been around for a while and provides paid support services, preferably with some Service Level Agreement (SLA). With an open-source solution, you need to ensure adequate training is available. This means more than a few online videos from various users but honest-to-goodness training from the product makers.
This way, you are getting the training straight from the horse's mouth and not someone else’s opinion on how it works. Lastly, open-source projects are often more secure than closed-source commercial products because of the number of developers reviewing the code, and that's always a win!
Pros of Open Source SIEMs
The least costly of all the options
Open-source products tend to be more secure than commercial products simply because of the number of people looking and reviewing the code.
Cons of Open Source SIEMs
Support may not be available other than community support
Deep dive training may not be available
How to Choose a SIEM
Now, you need to decide what works best for you. A little full disclosure here: I built a SIEM solution out of open-source projects, and it was used (actually still is used) to provide security services to many clients at a previous employer of mine. I'm a huge proponent of using open-source tools when they fit the situation.
Many of you reading this are probably on a tight budget for meeting CMMC requirements, and an open-source option is exactly what you need. The good news is that several open-source SIEM solutions are available that are proven to be reliable and effective. If I had to pick an open-source SIEM solution to deploy at an organization with limited IT support, I'd go with Security Onion.
Security Onion has been around since 2009 and has come a long way. They also offer affordable training so you can learn all the ins and outs of the system and its numerous tools since you'll have to manage it.
They also sell hardware with Security Onion pre-installed on it. If you'd like to go that route, they offer support. Yes, that's right, when you get into a bind and don't know what to do, you have someone to reach out to for help, and that, my friends, is a big deal!
Setting Up An Open Source SIEM
If you're interested in learning how to get up and running with Security Onion, I've got a video series at CBT Nuggets titled "Setting Up An Open Source SIEM." In it, I walk through installing Security Onion, deploying host agents, and creating custom reports. This series will get you up and running with Security Onion, so you can take it for a test drive and see if it fits your needs.
As we continue to prepare for CMMC's upcoming audits, you now have a little more insight into whether you'll need a SIEM solution and what options you have. Until next time, keep your defenses up and stay safe!
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.