Security Manager's Journal: Getting the most out of a new SIEM tool
The CIO isn't convinced about the value of investing in a security incident and event management tool.
The CIO continues to question the value of our $250,000 investment in a security incident and event management (SIEM) tool. I want more money in the budget next year to expand SIEM deployment to other areas of the world, and he wants to know what he'll get for that money.
My usual response is that we can better detect malicious activity in the network thanks to the sophisticated correlation rules we can build. But that isn't enough for the CIO, so I've had to think outside of the box.
One idea came to me during a meeting with our enterprise audit and risk director, who mentioned that one of his responsibilities is to audit the financial system. That comment led me to create a rule that keeps track of who logs in to the financial system and what logs are generated when a financial transaction, such as cutting a check or processing a payment for electronic funds transfer, is executed. The rule states that anytime a check is cut to the person who is logged in, or to any existing employee, an alert should be triggered. Another new rule leads to alerts when certain people access the system an unusual number of times per day.
I also turned my attention to domain administrator accounts. Holders of those accounts can, for example, view our CIO's email, calendar and contacts, or look into anyone's file share, PC or Microsoft SharePoint document library. When I first arrived at this company, domain accounts were handed out like lollipops. For example, if you were assigned to the help desk, you automatically got one. You're a new IT manager? Here's a domain account for you. Welcome to the company! I have since put the kibosh on that practice and have implemented requirements for domain account creation, which include my approval. Those measures have helped to decrease domain accounts by 60%. But from time to time, accounts still get created without my approval. I therefore created a rule in our SIEM tool to capture the event ID and data generated when a domain account is created, and to trigger an alert. If I see that there's no approval, then I escalate.
I also saw an opportunity to use the SIEM tool in my efforts to better control resource placement in the DMZ, which refers to the part of our network that faces the Internet. As I've explained before, resources in the DMZ are in the crosshairs of hackers and other malicious types. Though I have been cracking down and rooting out resources that unnecessarily leave us vulnerable, it hasn't been easy to intercept every rogue machine that's placed into one of our many DMZs.
SIEM Eyes the DMZ
The fact that our CIO is highly concerned about the DMZ issue makes the use of SIEM in DMZ monitoring very attractive. So I wrote a rule to detect when a new IP address has been added to the DMZ networks by correlating data with our Nessus scans. If a resource is added without change control or architecture review, then I escalate.
My new rules have given me a more solid answer for the next time the CIO asks me about the return on investment that we're getting from the SIEM deployment. Besides the standard response that we've prevented sensitive data from leaving the company via command-and-control back channels, I can say that we prevented 10 unauthorized servers from being added to his DMZs and prevented four unnecessary users from being able to read his email.
There's no data from the financial system so far, but when there is, I think the CIO will leave me alone.
Join in the discussions about security! computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
- Security Manager's Journal: Learning to let go and offshore
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts