"Lots of folks confuse bad management with destiny."
SIEM (SECURITY INFORMATION & EVENT MANAGEMENT) is needed to collect and analyze information from a maximum number of sources of information - such as DLP system, IPS, routers, firewalls, user workstations, servers and so on. Practical examples of threats that can only be identified correctly by SIEM:
- APT attacks - relevant for companies holding valuable information. SIEM - perhaps the only way to detect the beginning of such an attack (research infrastructure, attackers will generate traffic at different ends that allow you to see this activity by the security event correlation systems SIEM)
- Detection of various anomalies in the network and on the individual nodes, the analysis of which is unattainable for other systems
- Response to emergency situations, rapid changes in user behavior
The principle of "supply and forget“ is not applicable. Absolute protection does not exist, and the most unlikely risks can backfire and stop the business and cause huge financial losses. Any software and hardware may not work or be configured incorrectly - and let the threat through.
- Regulatory mandates require log management to maintain an audit trail of activity. SIEM's provide a mechanism to rapidly and easily deploy a log collection infrastructure. Alerting and correlation capabilities also satisfy routine log data review requirements. SIEM reporting capabilities provide audit support as well
- A SIEM can pull data from disparate systems into a single pane of glass, allowing for efficient cross-team collaboration in extremely large enterprises
- By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads
- SIEM's store and protect historical logs, and provide tools to quickly navigate and correlate data, thus allowing for rapid, thorough and court-admissible forensics investigations
Tasks of SIEM:
- Analysis of events and creation of alerts at any network traffic anomalies, unexpected user actions, unidentified devices, etc.
- Creation of reports, including ones customized specifically for your needs. For example, a daily report on incidents, weekly report of top 10 violators, report on the performance of devices, etc. Reports are configured flexibly according to their recipients
- Monitoring events from devices / servers / mission-critical systems, the establishment of appropriate notifications
- Logging of all events in the event gathering evidence, analyzing attack vectors, etc.
DESIGN & INTEGRATION STEPS
The SIEM implementation should leverage a phased approach, with systematic follow-through of the required stages for solution deployment. The typical SIEM implementation phases are:
REQUIREMENTS GATHERING & ASSESSMENT
Perform a detailed assessment of the company's environment with the goal to inventory the existing architecture and identify basic SIEM requirements:
- Understand current enterprise security architecture and its critical components
- Understand current tools and procedures used to determine potential risk and procedures used to confirm regulatory compliance
- Identify business objectives to be met by the development and implementation of a SIEM
- Capture a clear network topology with inventory of all devices in order to ensure solution comprehensiveness
- Initiate vendor selection with RFP process
During a detailed technical SIEM deployment design, based on all gathered requirements:
- Convert business requirements to conceptual scenarios
- Create technical use cases
- Create logical and physical SIEM architecture designs
- Create SIEM integration project plan
Implement an enterprise-wide SIEM in both development and production environments.
- provide real-time, centralized monitoring and correlation system over the entire network security infrastructure
- provide notification of and respond to harmful security events
- share information security event data with all relevant business units
- generate security event data for forensic purposes
This phase involves the following tasks:
- Configure and install the development environment
- Implement technical use cases
- Implement the interface component
- Test system configuration
- Document system configuration
- Roll-out to production
- Training & knowledge transfer
POST DEPLOYMENT ACTIVITIES
- Ensure support for the solution
- Place effective 24x7 solution monitoring
- Prepare for change management with an eye on evolving threats
CHOOSING A VENDOR
This is a question that can not be answered in advance. The integrator typically examines client infrastructure, its needs, figuring out what is the amount of money the client is willing to part with.
After that the vendors make offers and the integrator proposes to the customer the one most suitable. This is needed because there is a lack of compatibility between different vendors.
REMEMBER: Sometimes, it is believed that if you have a SIEM, there is no need to install DLP, IDS, vulnerability scanners, etc. In fact, this is not the case. SIEM can track any anomalies in the network stream, but it will not be able to make the normal analysis. SIEM, strictly speaking, is useless without other security systems. The main advantage of SIEM - collection, storage and analysis of logs - will be reduced down to zero without the sources of these logs.