Wednesday, February 25, 2015

Introduction to Security Event and Log Management

Starting from this article, I will share my experiences and insight on Security Event Management and Log Monitoring. I hope you will find some useful information for yourself in them.

To start with: maybe the most important point to know at the start of a SIEM project is to correctly set the expectations from such project. As very important sums of money and effort are put to these projects, the expectations of several units of your company (not only the IT by the way) may be very high.

So, at the kick-off it is important that you know and make sure that others understand:
  • that a SIEM solution is not a big box where different parts of IT throw all their logs until the day they will need it. The importance of “Security” word in SIEM must be underlined. Even though by the very nature of SIEM systems, they are considered as Big Data systems but so far they are only “Big Data like” and maybe they should stay so. Peer Teams in IT should take their time to think which category or type of alerts they have to keep, to find out an anomaly in their own systems or which can be meaningful when it comes together with other piece of information.
  •  that sizing is one of the critical steps of SIEM project’s success. A strict sizing in such projects is of course impossible but EPS numbers should be guessed with up to 20% accuracy. After that comes the decision of retention period. Most admins would enjoy seeing what website your colleague in the next cubicle visited a year ago but for an effective forensic analysis, a period from 3 to 6 months is advised to be aimed. A failure in not correctly predicting the storage size may cost you having your critical log data overwritten when you most need it. Not to forget, these numbers are also important for the financials, software licenses and appliances sizes and sometimes even the solution architectures change according to the number of logs to be processed.
  • that SIEM projects may be huge and should not be tried to be swallowed at once, your company choke while doing so. A wise approach would be to start with Security and  Network Security systems including but not limited to Firewalls, UTMs, IPSs, VPN boxes, Access Control Systems (Radius, Tacacs+), Web Application Firewalls, DOS protection devices, NACs, Load Balancers, Wireless Controllers and Endpoint Security Systems. After these should follow the Infrastructure components, namely OSs and Middlewares of your critical systems. At the last step, you will finally be ready for integrating your applications, which obviously is the most laborious and time-consuming part as several teams will have to come together and discuss.
  • that you should document your project very well. SIEM systems are like those puzzles with thousands of pieces and almost every company cooks that soup to its own taste. The way you collect the logs, reduce them and correlate them largely differs. Without proper documentation, you may have serious problems in roll-outs, troubleshooting and handing it over to somebody else or even outsourcing.
  • that even to everybody is into it and the technology is very promising, it is still a reactive solution. It will help your company to discover important breaches, learn from important misconfigurations and mistakes and improve your incident response skills and practices but that is all. Everything still depends on your agile, well-documented and respected incident response procedures… Unless you deploy SIEM as a compliance box or to show off your C-level executives.
      After taking into consideration these important facts, you are ready to start choosing your SIEM product. I will mention about SIEM product selection criteria in my next article, before diving into more detail on implementation.