Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

The key to security information and event management.

InfoSecurity Europe : 11 December, 2007  (Technical Article)
Paul Bushen of Siemens Enterprise Communications makes sense of managing security events by offering the 12 key steps to be taken.
The analogy drawn by the Internet RFC 3164 - "The BSD Syslog Protocol" :-
Is still relevant in today's market of Security Information and Event Management (SIEM) systems. Making the correct choices for your organisation, will ensure security messages will not be a "bad odour".

There are twelve key choices to be made:.

1. Tactical or strategic Drivers for a SIEM project are one of:.

* Tactical - there are too many messages which makes finding relevant facts almost impossible.
* Strategic - legal and regulatory requirements demand evidence of a properly managed information security architecture.

2. Who are the Stakeholders Co-operation with the many stakeholders, including system and network owners, will help get "buy-in" and avoid political problems.
Smoothing the waves with stakeholders early-on improves the likelihood of project success.

3. Real-time monitoring or forensics - Is real-time monitoring required or will central collection of messages for future reference be sufficient?
Who is going to monitor and respond to alerts? When will monitoring be performed? What resources will be required?.

4. Out-source or in-house - The requirements and policies of your enterprise will determine whether to choose out-sourcing SIEM which has immediate benefits such as quick start-up, or whether to provide SIEM in-house.

5. Self-developed or COTS - Historically COTS SIEM products were not available, and so many enterprises have attempted their own SIEM implementations.
A new implementation is more likely to use a COTS product; to avoid the delays involved with development. Replacing a bespoke system with a COTS product can be more involved than starting again.

6. Where to get the skills - Contractors can be an appropriate choice, especially early in a project when a fast injection of skills is most beneficial.
Existing staff can be given SIEM training, but ensure their knowledge is kept relevant and up-to-date. Early in the project, identify whether new staff will be required and use the initial installation to review which skills they will need and ensure suitable candidates are interviewed.

7. Which messages to collect and store - For a small environment it may be viable to collect every single event - but for how long? Focus on why events are to be collected and this will indicate which events to collect. SIEM is not "set and forget", it is part of an Information Security Management System, requirements change and so do the set of events to be collected.

8. Which systems to monitor - A justified order of priority for which systems to monitor, ensures early achievement of maximum benefit . Even a partially monitored environment can be beneficial, and as the system proves itself, other systems can be included.

Prioritise systems by their impact to the business. Include the likelihood of vulnerabilities being exploited. Perform a risk analysis of systems with relevant stakeholders - even those whose systems will not be included immediately.
Include quick-win systems that are easily included with minimal cost. These can demonstrate possible benefits - to get people thinking of even better ways to use SIEM.

9. Agent or agent-less - Most SIEM solutions offer the choice of agent-based or agent-less collection. Installing an agent may not be possible because:.

* The system owner refuses.
* The performance impact may be too great.
* The monitored system platform may not be supported by the agent.

However if an agent can be installed, the benefits are:.

* Authentication and encryption of the source system messages.
* Compression of messages in transit.
* Messages can be retransmitted instead of being dropped.
* Filtering of messages.
* Scheduled transmissions.

10. Normalisation versus speed - Normalisation may not be needed if only simple collection is required. However, real-time alerting, complex reporting and correlation will need normalisation, as almost every system has its own log format.

Normalisation will require extra processing by the agent and/or server which can reduce the number of events that can be processed per second.
Normalisation software and configuration may be specific to each product and even each version of a product, leading to difficulties getting support for required products.

11. Appliance or software - An appliance can be put to work almost immediately. But how it will fit into the enterprise:.

* Is on-site swap-out available?
* How will the configuration be copied from the existing to a replacement appliance?
* Will the backup of configuration and log messages fit in with the existing enterprise backup regime?
* Is the underlying operating system compliant to corporate policy?
* How will software updates (including security patches) be applied?

A software solution may be easier to integrate with the enterprise but:.

* Who is responsible when there is a fault?
* What hardware can be used?
* What operating system can be used?
* What database can be used?

12. Active or passive - Passive SIEM solutions can collect log messages, perform correlations, send alerts and display reports.

The ability to run custom commands enables the SIEM solution to perform an active role, such as:.

* Blocking a client connection.
* Reconfiguring a firewall policy.
* Reconfiguring routes and Access Control Lists on a router.
* Increasing and decreasing the amount of logging.

A project can start with alerting, requiring human detective skills before any response is made, this can then lead to the SIEM suggesting recommended courses of action with a human operator making an informed selection, before moving to a fully automated response with retrospective human involvement.

This article has looked at twelve key choices of the many that a SIEM project will involve. Making the right choices for SIEM in your enterprise will ensure you come out smelling of roses.

Siemens Enterprise Communications Limited is exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo