‫ Ensuring your SIEM system is working optimally

IRCAR201401200

Date: 2014/01/28

SIEM solutions are complex products and mostly take some effort to get working at optimal performance. In their design they are able to collect log and event data from multiple devices, apply procedures for real time correlation and direct alerts for discovered events.
SIEM is not without its challenges. Organisations are often frustrated with SIEM systems' effectiveness in their default configurations, yet never devote the time required to obtain the worth that SIEM can deliver. Initial deployment is the easy part however reaching the point at which SIEM is capable of delivering clear and substantial results requires your time and hard work. The organisation will need to spend time mapping the relationships between events and risks and creating the required logs, rules and correlations.
Areas that could be affecting SIEM performance:
  • Data collection, it’s important that a balance be found of data collection, storage and analysis
  • Volumes of data in some organisations are extremely high and with limited resources it makes data management overwhelming
  • Continual changing of user behavior i.e. social media, mobile devices and mobile computing
  • Increase of devices and applications in the workplace
  • Management of the monitoring system
  • Increased complexity of security threats
  • Inability to interpret the data
Steps towards achieving better performance
  1. Secure a SIEM team
Your monitoring is comparative to the quality of the team the organisation has assigned to the SIEM system. It’s important that the team responsible for managing, monitoring, configuring and extracting the required information from the logs is knowledgeable.
  1. Establish an effective monitoring program
  • Identify exposure and have a good understanding of your vulnerabilities and areas of security weakness
  • It helps to focus on the results or information you are trying to retrieve
  • Identify which systems or components to monitor in order of priority. By devising a list, the assets can be monitored according to areas of high risk taking precedence.
  • Consider integrating the SIEM into applications
  • Realise that some applications don’t generate log data that can be incorporated in the SIEM, this will save you a lot of hassle later on
  • Identify which events the organization should be alerted about and what information is required to be known with regards to the assets
  • If you are not finding all the information you require it’s essential that adjustments are made to the system through changing the logging levels or installing additional systems to provide the information you need
  • Ensure you collect data from a range of groups that may benefit from the collected log data
  1. Configuring your SIEM
  • Choose the first asset on the list to use as the initial setup component; the initial configuring will be the most cumbersome. To configure the asset/group correctly you will need a good understanding of the requirements, the components and the events of that particular group
  • Develop the policies/rules
  • Be prepared for false positives
  • By using a group with clear compliance requirements for the initial configuration the process will be a lot easier
  • Determine the events that will indicate noncompliance and breach of policy
  • Be open minded enough to construct a route whereby new SIEM capabilities could be added if necessary at a later stage
  1. Analysis
  • Analyse the systems associated with the asset
  • Systematically extract information form logs, event streams and systems to detect any security threats according to the events previously determined as non-compliant or a breach of security
  • Referential data is as important as the real time data. Data such as asset lists, vulnerability scan results and threat intelligence data. This data is important when it comes to prioritizing events and can save time during investigation
  • Place emphasis on correlation capabilities as this can help associate events that are not usually perceived by people
  • Once the SIEM has been implemented, the data that is being collected should be assessed periodically.
Conclusion
The decision to deploy SIEM depends on a number of factors, including business requirements, the available support personnel, network architecture, the maintenance window and bandwidth. To achieve the most of the SIEM technology, considerable initial effort would need to be applied. The SIEM system is as valuable as the effort put into understanding and using the system and without the effort of configuration it is merely a log manager. SIEM technology with its ability to automate log monitoring, pattern recognition, alerting, forensics and correlation it is the way to a well-run and mature IT operation.
 

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0