Once the new SIEM is selected, it's time to prepare for the migration. The first step is to identify the data sources and identify the data ingestion method for the new SIEM, which could be API, syslog, SNMP or other integrations. The organization must ensure that every data source is supported by the new SIEM and that data ingestion can be automated as much as possible.
Next, the organization should set up the new SIEM environment, including the hardware and software infrastructure. This should include data retention policies, data security, backup and recovery procedures, access controls, and other security measures.
Finally, all content should be examined for migration. Dashboards, reports, and tuned rules should be investigated as to whether they are still relevant to the organization’s current risk profile and their fidelity to the outcomes desired. Not all content needs to be migrated. In fact in most cases, only a fraction of the content needs to be moved as threats change continuously.
Migrating data
The main phase of migration is data migration, which involves exporting data from the old SIEM, transforming it to the new SIEM's format, and importing it into the new system. For some this phase is optional as their existing SIEM and logs can remain for historical purposes or their logs are in some form of data lake technology. For others, it will be essential to ensure that all the data is migrated, and the data quality is verified. One option if it is prohibitively expensive to export data is to just export the alerts and incidents from the last 30 days to make sure that any current work is saved and investigations can continue.
Testing
After the data migration phase, it is essential to perform testing to check everything. This should include testing the new system's performance, automation of data collection, analysis, and reporting, configurability, and scalability. The testing should involve stress testing, load testing, failover testing, and other tests relevant to the organization's needs.
Go-live
Once the testing is complete and everything is deemed to be working correctly, it's time to deploy the new SIEM system in production. During this phase, the organization should monitor the system's performance, ensure that alarms and alerts are working, and that all data collection and analysis are fully automated. All playbooks should be tested so that workflows are not assumed but rather validated against real world scenarios the SOC will face.
Conclusion
The process of migrating from one SIEM to another is a complex and challenging undertaking for an organization, but if executed properly, it can provide significant benefits such as improved security posture, better performance, scalability, and flexibility. It's essential to involve all stakeholders, assign roles and responsibilities, and thoroughly plan and test the migration to avoid any disruption to the organization's security posture.