Security Manager's Journal: Getting the most out of a new SIEM tool
The CIO isn't convinced about the value of investing in a security incident and event management tool.
The CIO continues to question the value of our $250,000 investment in a security incident and event management (SIEM) tool. I want more money in the budget next year to expand SIEM deployment to other areas of the world, and he wants to know what he'll get for that money.
My usual response is that we can better detect malicious activity in the network thanks to the sophisticated correlation rules we can build. But that isn't enough for the CIO, so I've had to think outside of the box.
One idea came to me during a meeting with our enterprise audit and risk director, who mentioned that one of his responsibilities is to audit the financial system. That comment led me to create a rule that keeps track of who logs in to the financial system and what logs are generated when a financial transaction, such as cutting a check or processing a payment for electronic funds transfer, is executed. The rule states that anytime a check is cut to the person who is logged in, or to any existing employee, an alert should be triggered. Another new rule leads to alerts when certain people access the system an unusual number of times per day.
I also turned my attention to domain administrator accounts. Holders of those accounts can, for example, view our CIO's email, calendar and contacts, or look into anyone's file share, PC or Microsoft SharePoint document library. When I first arrived at this company, domain accounts were handed out like lollipops. For example, if you were assigned to the help desk, you automatically got one. You're a new IT manager? Here's a domain account for you. Welcome to the company! I have since put the kibosh on that practice and have implemented requirements for domain account creation, which include my approval. Those measures have helped to decrease domain accounts by 60%. But from time to time, accounts still get created without my approval. I therefore created a rule in our SIEM tool to capture the event ID and data generated when a domain account is created, and to trigger an alert. If I see that there's no approval, then I escalate.
I also saw an opportunity to use the SIEM tool in my efforts to better control resource placement in the DMZ, which refers to the part of our network that faces the Internet. As I've explained before, resources in the DMZ are in the crosshairs of hackers and other malicious types. Though I have been cracking down and rooting out resources that unnecessarily leave us vulnerable, it hasn't been easy to intercept every rogue machine that's placed into one of our many DMZs.
SIEM Eyes the DMZ
The fact that our CIO is highly concerned about the DMZ issue makes the use of SIEM in DMZ monitoring very attractive. So I wrote a rule to detect when a new IP address has been added to the DMZ networks by correlating data with our Nessus scans. If a resource is added without change control or architecture review, then I escalate.
My new rules have given me a more solid answer for the next time the CIO asks me about the return on investment that we're getting from the SIEM deployment. Besides the standard response that we've prevented sensitive data from leaving the company via command-and-control back channels, I can say that we prevented 10 unauthorized servers from being added to his DMZs and prevented four unnecessary users from being able to read his email.
There's no data from the financial system so far, but when there is, I think the CIO will leave me alone.
Join in the discussions about security! computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!