Does CMMC Require a SIEM?

If you're reading this, you're probably a DOD contractor preparing for CMMC. I'm guessing you have just about as many questions as the rest of us do about CMMC.

I've read through all of the CMMC capabilities and processes and they don’t specifically state that a SIEM (Security Information and Event Management) system is required. However, from the sounds of some of the requirements, it sounds an awful lot like they're saying "SIEM" without saying "SIEM," if you know what I mean.

What is a SIEM?

If you're not already familiar with a SIEM, it's a system that you send your logs to (operating system logs, network device logs, firewall logs, etc.), and it analyzes them, sends out alerts, and allows you to create reports.

A SIEM is the only way to analyze system logs properly. Within CMMC, once we get to level three, log collection and analysis start to reveal themselves. For example, AU.3.048 says you should collect your audit logs into one or more central repositories. That sounds like a SIEM to me.

Then AU3.051 talks about correlating audit log review, analysis, and report on audit logs collectively. The keyword there is "collectively" because without analyzing all the logs in a centralized manner, you will have a hard time correlating events from various systems. Again, it sounds like a SIEM to me!

At this point, I see smoke, and where there’s smoke, there's fire. Which, in this case, means an SIEM solution. So the next question is, what are my options when it comes to a SIEM solution?

3 Options for SIEM Solutions for CMMC

You have three options when looking for SIEM solutions: purchase, subscribe or build. There are advantages and disadvantages to each option based on your budget and requirements.

Option 1: Purchase a Commercial SIEM Solution

Purchasing a commercial SIEM can be hit-and-miss, to be honest. I say this because you have to vet the product and make sure it will do everything you need. After all, once you invest capital into the product, you're stuck with it unless you don't mind wasting money.

You must purchase training and spend the time necessary to train on the product, so your team can efficiently manage the platform. There will also be an annual support agreement to budget for and be careful of limitations of these products, such as limits on the amount of data they will process in a given time period. As your environment grows, you may need to consider the costs of upgrading the SIEM to support the additional data from new systems.

Pros of a Commercial SIEM:

• There are lots of vendors to choose from

• It's less costly than a SIEM service (most of the time)

Cons of a Commercial SIEM:

• Your internal team must manage the system

• You'll need to provide compute resources to host it on

• Training can be expensive and extensive

Option 2: Subscribe to SIEM-as-a-Service

SIEM-as-a-service is the easiest to get up and running. Some benefits of this are that there are usually no up-front costs, and it is a month-to-month operational expenditure. Since this is a hosted service, you won't need to provide compute resources, so you're not looking at any hardware upgrades to support it.

Another nice thing is that the vendor team will manage the system and provide you with reports and alerts, which means you won't need the level of training with a commercial SIEM product. The downside is that these services are usually more expensive than a commercial SIEM solution, but that may not be true if you hire personnel to manage a commercial SIEM product.

The last thing to consider is that you're sending log data offsite, so you'll want to ensure you have adequate bandwidth. You'll also want to verify how the vendor is storing the data and that they are following security best practices since they are housing some of your sensitive data.

Pros of SIEM-as-a-Service

• You don't need to provide computing resources

• Your internal team doesn't manage the system

Cons of SIEM-as-a-Service

• It's usually the most expensive option

• Added risk by sending your log data off-site

Option 3: Deploy and Manage an Open Source SIEM

An open-source SIEM solution is going to be the most cost-effective SIEM solution. However, you must provide computing resources and people to manage the solution, just as you do with a commercial product. The key to going with open-source is oftentimes convincing executives that it's a sound decision.

To do this, you'll need to find an open-source project that's been around for a while and provides paid support services, preferably with some Service Level Agreement (SLA). With an open-source solution, you need to ensure adequate training is available. This means more than a few online videos from various users but honest-to-goodness training from the product makers.

This way, you are getting the training straight from the horse's mouth and not someone else’s opinion on how it works. Lastly, open-source projects are often more secure than closed-source commercial products because of the number of developers reviewing the code, and that's always a win!

Pros of Open Source SIEMs

• The least costly of all the options

• Open-source products tend to be more secure than commercial products simply because of the number of people looking and reviewing the code.

Cons of Open Source SIEMs

• Support may not be available other than community support

• Deep dive training may not be available

How to Choose a SIEM

Now, you need to decide what works best for you. A little full disclosure here: I built a SIEM solution out of open-source projects, and it was used (actually still is used) to provide security services to many clients at a previous employer of mine. I'm a huge proponent of using open-source tools when they fit the situation.

Many of you reading this are probably on a tight budget for meeting CMMC requirements, and an open-source option is exactly what you need. The good news is that several open-source SIEM solutions are available that are proven to be reliable and effective. If I had to pick an open-source SIEM solution to deploy at an organization with limited IT support, I'd go with Security Onion.

Security Onion has been around since 2009 and has come a long way. They also offer affordable training so you can learn all the ins and outs of the system and its numerous tools since you'll have to manage it.

They also sell hardware with Security Onion pre-installed on it. If you'd like to go that route, they offer support. Yes, that's right, when you get into a bind and don't know what to do, you have someone to reach out to for help, and that, my friends, is a big deal!

Setting Up An Open Source SIEM

If you're interested in learning how to get up and running with Security Onion, I've got a video series at CBT Nuggets titled "Setting Up An Open Source SIEM." In it, I walk through installing Security Onion, deploying host agents, and creating custom reports. This series will get you up and running with Security Onion, so you can take it for a test drive and see if it fits your needs.

As we continue to prepare for CMMC's upcoming audits, you now have a little more insight into whether you'll need a SIEM solution and what options you have. Until next time, keep your defenses up and stay safe!