You may spend a lot of effort to
build up an infrastructure of SIEM and Log Management composed of source
systems, connectors, loggers, rule creation and correlation engines and
management systems and then see very little of valuable output….if you do not pay
attention to the first thing you actually do in the first place: Define a
proper auditing policy.
A recent and very successful
approach for building Log Management and SIEM capabilities actually consists of
an inverse installation process. Some Security Service Providers come and
collaborate with your teams to apply defined risk scenarii on your infrastructure
to see if your infrastructure components generate the log messages which should
alert you that something unusual and odd is going on. It is at this very step
that your SIEM team learns which type of events they should be collecting among
a big pile of others, which in many cases constitute most of your log storage
without actually providing a value.
Such an approach may create huge
differences in outputs and may trigger changes in your infrastructure. I know
companies which changed some of their components just because they do not
provide essential log information which would allow security alert generation.
A very important thing to keep in
mind when deploying SIEM solutions is the involvement of all infrastructure and
application teams. No matter how qualified IT Security guys responsible for SIEM
deployment, they do not master Operating Systems as much as Windows, Linux and
UNIX administrators do, also considering different versions of OSes that can be
in place. To my experience, I know that 3 generations of Windows Servers
coexist in majority of companies without counting R2 versions. It goes the same
way for databases and applications. A SIEM project would probably fail or
underperform if all IT teams do not collaborate with SIEM project team and stay
isolated in their silos.
Another way of dealing with this
issue would be to create a security team composed of security masters in each
domain. First difficulty in that approach is to bring together such talents
which is very costly and the second challenge is to keep them in the company
and provide consistency because such people are highly in demand. This option
seems applicable only in very large structures such as multinationals,
especially in finance sector where there really are some things to be at stake,
money and also reputation.
There are of course lots and lots to
say about other aspects of SIEM and Log Management projects. But maybe the most
important things to know about them are to set the expectations correctly
(Benefits, Aim: “Security?, Compliance?, Both?”, Scope, Schedule and Budget),
be patient, provide continuous support and monitor the output closely. The
technology in this market is rapidly evolving and it still has much more to
offer in years to come.
No comments:
Post a Comment