Getting the Most Out of SIEM

The CIO isn't convinced about the value of investing in a security incident and event management tool.

The CIO continues to question the value of our $250,000 investment in a security incident and event management (SIEM) tool. I want more money in the budget next year to expand SIEM deployment to other areas of the world, and he wants to know what he'll get for that money.

My usual response is that we can better detect malicious activity in the network thanks to the sophisticated correlation rules we can build. But that isn't enough for the CIO, so I've had to think outside of the box.

One idea came to me during a meeting with our enterprise audit and risk director, who mentioned that one of his responsibilities is to audit the financial system. That comment led me to create a rule that keeps track of who logs in to the financial system and what logs are generated when a financial transaction, such as cutting a check or processing a payment for electronic funds transfer, is executed. The rule states that anytime a check is cut to the person who is logged in, or to any existing employee, an alert should be triggered. Another new rule leads to alerts when certain people access the system an unusual number of times per day.

I also turned my attention to domain administrator accounts. Holders of those accounts can, for example, view our CIO's email, calendar and contacts, or look into anyone's file share, PC or Microsoft SharePoint document library. When I first arrived at this company, domain accounts were handed out like lollipops. For example, if you were assigned to the help desk, you automatically got one. You're a new IT manager? Here's a domain account for you. Welcome to the company! I have since put the kibosh on that practice and have implemented requirements for domain account creation, which include my approval. Those measures have helped to decrease domain accounts by 60%. But from time to time, accounts still get created without my approval. I therefore created a rule in our SIEM tool to capture the event ID and data generated when a domain account is created, and to trigger an alert. If I see that there's no approval, then I escalate.

I also saw an opportunity to use the SIEM tool in my efforts to better control resource placement in the DMZ, which refers to the part of our network that faces the Internet. As I've explained before, resources in the DMZ are in the crosshairs of hackers and other malicious types. Though I have been cracking down and rooting out resources that unnecessarily leave us vulnerable, it hasn't been easy to intercept every rogue machine that's placed into one of our many DMZs.

SIEM Eyes the DMZ

The fact that our CIO is highly concerned about the DMZ issue makes the use of SIEM in DMZ monitoring very attractive. So I wrote a rule to detect when a new IP address has been added to the DMZ networks by correlating data with our Nessus scans. If a resource is added without change control or architecture review, then I escalate.

My new rules have given me a more solid answer for the next time the CIO asks me about the return on investment that we're getting from the SIEM deployment. Besides the standard response that we've prevented sensitive data from leaving the company via command-and-control back channels, I can say that we prevented 10 unauthorized servers from being added to his DMZs and prevented four unnecessary users from being able to read his email.

There's no data from the financial system so far, but when there is, I think the CIO will leave me alone.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Join the discussion
Be the first to comment on this article. Our Commenting Policies