Security Manager's Journal: Getting the most out of a new SIEM tool
The CIO isn't convinced about the value of investing in a security incident and event management tool.
The CIO continues to question the value of our $250,000 investment in a security incident and event management (SIEM) tool. I want more money in the budget next year to expand SIEM deployment to other areas of the world, and he wants to know what he'll get for that money.
My usual response is that we can better detect malicious activity in the network thanks to the sophisticated correlation rules we can build. But that isn't enough for the CIO, so I've had to think outside of the box.
One idea came to me during a meeting with our enterprise audit and risk director, who mentioned that one of his responsibilities is to audit the financial system. That comment led me to create a rule that keeps track of who logs in to the financial system and what logs are generated when a financial transaction, such as cutting a check or processing a payment for electronic funds transfer, is executed. The rule states that anytime a check is cut to the person who is logged in, or to any existing employee, an alert should be triggered. Another new rule leads to alerts when certain people access the system an unusual number of times per day.
I also turned my attention to domain administrator accounts. Holders of those accounts can, for example, view our CIO's email, calendar and contacts, or look into anyone's file share, PC or Microsoft SharePoint document library. When I first arrived at this company, domain accounts were handed out like lollipops. For example, if you were assigned to the help desk, you automatically got one. You're a new IT manager? Here's a domain account for you. Welcome to the company! I have since put the kibosh on that practice and have implemented requirements for domain account creation, which include my approval. Those measures have helped to decrease domain accounts by 60%. But from time to time, accounts still get created without my approval. I therefore created a rule in our SIEM tool to capture the event ID and data generated when a domain account is created, and to trigger an alert. If I see that there's no approval, then I escalate.
I also saw an opportunity to use the SIEM tool in my efforts to better control resource placement in the DMZ, which refers to the part of our network that faces the Internet. As I've explained before, resources in the DMZ are in the crosshairs of hackers and other malicious types. Though I have been cracking down and rooting out resources that unnecessarily leave us vulnerable, it hasn't been easy to intercept every rogue machine that's placed into one of our many DMZs.
SIEM Eyes the DMZ
The fact that our CIO is highly concerned about the DMZ issue makes the use of SIEM in DMZ monitoring very attractive. So I wrote a rule to detect when a new IP address has been added to the DMZ networks by correlating data with our Nessus scans. If a resource is added without change control or architecture review, then I escalate.
My new rules have given me a more solid answer for the next time the CIO asks me about the return on investment that we're getting from the SIEM deployment. Besides the standard response that we've prevented sensitive data from leaving the company via command-and-control back channels, I can say that we prevented 10 unauthorized servers from being added to his DMZs and prevented four unnecessary users from being able to read his email.
There's no data from the financial system so far, but when there is, I think the CIO will leave me alone.
Join in the discussions about security! computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts