Does CMMC Require A SIEM?
If you're reading this, then you're probably a DOD contractor who's preparing for CMMC and I'm guessing you've got just about as many questions as the rest of us do regarding CMMC. I've read through all of the CMMC capabilities and processes and they don’t specifically state that a SIEM (Security Information and Event Management) system is required. However, from the sounds of some of the requirements, it sounds an awful lot like they're saying "SIEM" without saying "SIEM" if you know what I mean.
What is a SIEM?
If you're not already familiar with a SIEM, it's a system that you send your logs to (operating system logs, network device logs, firewall logs, etc) and it analyzes them, sends out alerts, and allows you to create reports. A SIEM is really the only way to properly analyze system logs. Within CMMC, once we get to level three we see that log collection and analysis start to reveal themselves. For example, AU.3.048 says you should collect your audit logs into one or more central repositories, sounds like a SIEM to me. Then AU3.051 talks about needing to correlate audit log review, analysis, and report on audit logs collectively. The keyword there is "collectively" because without analyzing all the logs in a centralized manner, you're going to have a hard time performing a correlation between events from various systems. Again, sounds like a SIEM to me!
At this point, I see smoke, and where there’s smoke, there's fire. Which in this case means, a SIEM solution. So the next question is, what are my options when it comes to a SIEM solution.
3 Options for SIEM Solutions for CMMC
You have three options when looking for SIEM solutions: purchase, subscribe or build. There are advantages and disadvantages to each option based on your budget and requirements.
Option 1: Purchase a Commercial SIEM Solution
Purchasing a commercial SIEM can be hit and miss, to be honest. I say this because you really have to vet the product and make sure it will do everything you need because once you make the capital investment into the product, you're stuck with it, unless you don't mind wasting money. You will need to purchase training and spend the time necessary to train on the product so that your team can efficiently manage the platform. There will also be an annual support agreement to budget for and be careful of limitations of these products, such as limits put on the amount of data they will process in a given time period. As your environment grows you may need to consider the costs to upgrade the SIEM to support the additional data from new systems.
Pros of a Commercial SIEM:
There are lots of vendors to choose from
It's less costly than a SIEM service (most of the time)
Cons of a Commercial SIEM:
Your internal team must manage the system
You'll need to provide compute resources to host it on
Training can be expensive and extensive
Option 2: Subscribe to SIEM-as-a-Service
SIEM-as-a-service is definitely the easiest to get up and running. Some benefits of this are that there are usually no up-front costs and it is a month-to-month operational expenditure. Since this is a hosted service you won't need to provide compute resources so you're not looking at any hardware upgrades to support it. Another nice thing is that the vendor team will manage the system and provide you with reports and alerts, which means you won't need the level of training that you would with a commercial SIEM product. The downside is that these services are usually more expensive than a commercial SIEM solution, but that may not be true if you have to hire personnel to manage a commercial SIEM product. The last thing to consider is that you're sending log data offsite so you'll want to ensure you have adequate bandwidth and you'll want to verify how the vendor is storing the data and that they are following security best practices since they are housing some of your sensitive data.
Pros of SIEM-as-a-Service
You don't need to provide compute resources
Your internal team doesn't manage the system
Cons of SIEM-as-a-Service
It's usually the most expensive option
Added risk by sending your log data off-site
Option 3: Deploy and Manage an Open Source SIEM
Going with an open-source SIEM solution is going to be the most cost-effective SIEM solution. However, you will need to provide compute resources and people to manage the solution, just as you do with a commercial product. The key to going with open-source is oftentimes convincing executives that it's a sound decision. To do this you'll need to find an open-source project that's been around for a while and that provides paid support services, preferably with some sort of a Service Level Agreement (SLA). With an open-source solution, you need to ensure adequate training is available. This means more than a few online videos from various users, but honest-to-goodness training from the makers of the product. This way you are getting the training straight from the horse's mouth and not someone else’s opinion on how it works. Lastly, open-source projects are often more secure than closed-source commercial products because of the number of developers reviewing the code, and that's always a win!
Pros of Open Source SIEMs
Least costly of all the options
Open-source products tend to be more secure than commercial products simply because of the number of people looking and reviewing the code
Cons of Open Source SIEMs
Support may not be available, other than community support
Deep dive training may not be available
How to Choose a SIEM
Now you need to decide what works best for you. A little full disclosure here, I built a SIEM solution out of open source projects and it was used (actually still is used) to provide security services to many clients at a previous employer of mine. That being said, I'm a huge proponent of using open source tools when they're the right fit for the situation.
Many of you reading this are probably on a tight budget for meeting CMMC requirements and an open-source option is exactly what you need. The good news is, there are several open-source SIEM solutions available that are proven to be reliable and effective. If I had to pick an open-source SIEM solution to deploy at an organization with limited IT support I'd go with Security Onion.
Security Onion has been around since 2009 and has come a long way. They also offer affordable training so you can learn all the in's and out's of the system and its numerous tools since you'll have to manage the system. They also sell hardware with Security Onion pre-installed on it if you'd like to go that route and they offer support. Yes, that's right, when you get into a bind and don't know what to do, you have someone to reach out to for help, and that my friends, is a big deal!
Setting Up An Open Source SIEM
If you're interested in learning how to get up and running with security onion I've got a video series at CBT Nuggets titled "Setting Up An Open Source SIEM" where I walk through installing Security Onion, deploying host agents, and creating custom reports. This series will get you up and running with Security Onion so you can take it for a test drive and see if it fits your needs.
As we continue to prepare for CMMC's upcoming audits, you now have a little more insight as to whether or not you'll need a SIEM solution and what options you have. Until next time, keep your defenses up and stay safe!