- At issue: Hanging over a SIEM deployment is the knowledge that such projects fail fairly often.
- Action plan: Tune the tool very carefully, keeping in mind that there's only one analyst available to administer, configure, manage and monitor the SIEM tool once it's deployed.
Security Manager's Journal: Buried in SIEM configuration
The first rule in deploying a security incident and event management tool: Don't make assumptions.
Computerworld - I mentioned in my previous column that in my new job, I inherited a project to implement a security incident and event management (SIEM) tool. In response, several readers e-mailed to tell me about their experiences. Here's what I've learned in tackling this project over the past couple of weeks.
There are a few different ways to use SIEM. It can alert you to anomalous behavior and malicious code. By pulling in data from our antivirus scanning management console, our patch management reporting tools and our DNS, DHCP, switch and firewall logs, SIEM can quickly alert us, for example, that a particular unpatched system is infected and even identify which switch port it is connected to. SIEM can also be an investigative tool, providing additional information when an intrusion-detection tool logs an event. And a SIEM tool can be used for asset management, detecting the addition to the network of things like unauthorized virtual servers or the activation of unauthorized services such as FTP.
But with SIEM, you get out of the tool only as much as you put into it, and you have to spend a considerable amount of time figuring out what exactly you want this new contraption to do for you. The failed SIEM deployments that I've seen were victims of poor planning.
The first rule to acknowledge is that you just can't make assumptions. For example, we assumed that by pointing the logs of our domain controllers to the SIEM tool, we would be able to obtain logs related to employees' log-in and log-off data. That didn't happen, and we ended up scratching our heads. As it turns out, unless you've properly configured the audit policy setting on a domain controller, you're not going to see those logs. And Windows domain controllers offer 16 different options just for DNS logging.
The Cost Factor
Assumptions can also be costly. Many SIEM licenses are based on events per second. You may run into license limits and budget overruns later on if you find that you need to enable a bunch of logs that you had assumed you were already collecting. And, of course, you wouldn't have accounted for those newly enabled logs during rule configuration, which means you may need to revisit your rules. You can see how easy it is for a SIEM deployment to fail.
SIEM tools also require a lot of tuning. You have to build your rules with care, manage false positives and classify assets properly. We keep making some progress in these areas and then having to backtrack when we discover that we have made yet another assumption that needs correction. It's quite frustrating.
Take asset identification. We initially enabled the SIEM tool with default rules and discovered that we had about 35 DHCP servers, 60 DNS servers, hundreds of Web and FTP servers, and all sorts of devices claiming to be routers, mail servers and other types of equipment. It can be tough to get a handle on everything we have and what it's doing, especially with virtual machines seeming to spin up on an hourly basis and a plethora of third-party networks created as a result of partnerships, mergers and remote offices being connected to the corporate network.
To participate in further discussions about security, go to computerworld.com/blogs/security.
A critical factor in our deployment planning is that I have only one analyst to administer, configure, manage and monitor the SIEM tool. That lack of human resources will greatly influence how we finally tune it. I hope that as time goes by, I'll be able to justify additional analyst head count and significantly expand the scope of our SIEM setup.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
More by Mathias Thurman
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
- Security Manager's Journal: Learning to let go and offshore
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts