- At issue: Hanging over a SIEM deployment is the knowledge that such projects fail fairly often.
- Action plan: Tune the tool very carefully, keeping in mind that there's only one analyst available to administer, configure, manage and monitor the SIEM tool once it's deployed.
Security Manager's Journal: Buried in SIEM configuration
The first rule in deploying a security incident and event management tool: Don't make assumptions.
Computerworld - I mentioned in my previous column that in my new job, I inherited a project to implement a security incident and event management (SIEM) tool. In response, several readers e-mailed to tell me about their experiences. Here's what I've learned in tackling this project over the past couple of weeks.
There are a few different ways to use SIEM. It can alert you to anomalous behavior and malicious code. By pulling in data from our antivirus scanning management console, our patch management reporting tools and our DNS, DHCP, switch and firewall logs, SIEM can quickly alert us, for example, that a particular unpatched system is infected and even identify which switch port it is connected to. SIEM can also be an investigative tool, providing additional information when an intrusion-detection tool logs an event. And a SIEM tool can be used for asset management, detecting the addition to the network of things like unauthorized virtual servers or the activation of unauthorized services such as FTP.
But with SIEM, you get out of the tool only as much as you put into it, and you have to spend a considerable amount of time figuring out what exactly you want this new contraption to do for you. The failed SIEM deployments that I've seen were victims of poor planning.
The first rule to acknowledge is that you just can't make assumptions. For example, we assumed that by pointing the logs of our domain controllers to the SIEM tool, we would be able to obtain logs related to employees' log-in and log-off data. That didn't happen, and we ended up scratching our heads. As it turns out, unless you've properly configured the audit policy setting on a domain controller, you're not going to see those logs. And Windows domain controllers offer 16 different options just for DNS logging.
The Cost Factor
Assumptions can also be costly. Many SIEM licenses are based on events per second. You may run into license limits and budget overruns later on if you find that you need to enable a bunch of logs that you had assumed you were already collecting. And, of course, you wouldn't have accounted for those newly enabled logs during rule configuration, which means you may need to revisit your rules. You can see how easy it is for a SIEM deployment to fail.
SIEM tools also require a lot of tuning. You have to build your rules with care, manage false positives and classify assets properly. We keep making some progress in these areas and then having to backtrack when we discover that we have made yet another assumption that needs correction. It's quite frustrating.
Take asset identification. We initially enabled the SIEM tool with default rules and discovered that we had about 35 DHCP servers, 60 DNS servers, hundreds of Web and FTP servers, and all sorts of devices claiming to be routers, mail servers and other types of equipment. It can be tough to get a handle on everything we have and what it's doing, especially with virtual machines seeming to spin up on an hourly basis and a plethora of third-party networks created as a result of partnerships, mergers and remote offices being connected to the corporate network.
To participate in further discussions about security, go to computerworld.com/blogs/security.
A critical factor in our deployment planning is that I have only one analyst to administer, configure, manage and monitor the SIEM tool. That lack of human resources will greatly influence how we finally tune it. I hope that as time goes by, I'll be able to justify additional analyst head count and significantly expand the scope of our SIEM setup.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
More by Mathias Thurman
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!