None of these steps is meant to be carried out all in the same day--or even in the same month. Based on years of experience with SIEM installations, Bradford Nelson, a security professional at a large federal agency, suggests three stages for SIEM deployment.
"Keep the bar low at the beginning," Nelson says. Gather just the baseline information you need to establish what "normal" statistics and readings look like in order to find anomalies going forward. If you try to do everything at once--threat and anomaly detection, threat analysis, and response--you're going to fail, he says.
Start with a compliance-focused checklist, emphasizing the SIEM tool's security information management elements, primarily collecting logs for audit purposes. Nelson recommends spending about six months in this stage of deployment. Any more and you don't get enough payback from tools for the time you invest; any less and you risk a disaster.
Next is a growth stage during which you begin to use the security event management aspect of SIEM, utilizing real-time monitoring. Companies that evolve to the final, mature stage are those that can integrate SIEM analysis into their IT operations processes so that security becomes part of the overall IT framework. In this stage, you are taking advantage of external security data feeds, using on-board processes to log activity from new users and systems as they're added, analyzing business behavior, and utilizing business context to make security decisions. Companies that have mastered the art of system data correlation and analysis are able to extend the benefits outside the security group. The data can offer clues for infrastructure improvement and simplifying IT operations and business processes.
Moving through these SIEM stages requires starting with basic log groups and standardizing the analysis processes for them, SenSage's Gottlieb says. Then broaden the scope for more log subsets, using what you've learned from previous process development.
Companies and other organizations are definitely collecting more logs these days, but they have a long way to go when it comes to actually analyzing the data those logs provide in order to head off fraud and external attacks. Six years ago the biggest log management concern among security professionals was simply to collect logs from enough sources, according to the SANS Institute. That's now a concern for only about 10% of companies.
These days the difficulties lie in aggregating, analyzing, and searching log data. Companies that start building the right rule sets within their SIEM tools and tuning these tools according to their risk tolerance will find that they're able to block the bad guys before they do real damage to the infrastructure. It may not be just like the movies, but in real life that's as close to a happy ending as we get.
Sidebar: Where To Start With Logging
Log management and event correlation can be daunting for the uninitiated. Here are tips from log management expert Bill Roth, chief marketing officer at LogLogic, a security management vendor.
>> Begin With Basic Feeds: Prioritize the collection and analysis of Windows logs, syslogs, and Web server logs, and you'll have 90% of what you need, Roth says.
>> Look For The Abnormal: Spend time in the beginning watching stats from networking and firewall devices, to benchmark what's normal so you can spot aberrations later.
>> Watch For Privilege Changes: Attackers try to escalate their privileges to carry out attacks. Watch for this in key locations. One command in particular to be alert for, Roth says, is sudo, or "substitute user do," in Unix and Linux systems.
>> Check Error Messages: Watch for 404 messages in your Web server, distributed denial-of-service attacks, and too many attempts at access made by hackers gaining infrastructure information. --Ericka Chickowski