Can you name a few based on the Solutions you have used?
- Organisation of the company
- Leadership commitment
- Enough money to get the full system
- The right choice
- Quality teaching
- Enough time to start a production plant
- The commitment of the owners of the systems involved
-Many-many works from developers
An integrated solution that can help prevent, detect, prioritise, deep dive investigate and remediate incidents.
from my point of view this is top must-have for any SIEM:
1. log correlation that actually works :)
2. detection of anomalies in network traffic
3. good prioritization of alerts (automatic rejection of irrelevant -> good
baselining capabilities are a prerequisite for this)
4. good and easy event drill-down capabilities (by easy I mean simply
clicking and not writing new regex or query :) )
Well from solution perspective one can have as many ... I wanted to draw attention to Business Scope, Requirements, and then see what product fits in and what one wants from SIEM, Must haves are depending what a org wants but a baseline looks like
1.Which Devices Will You Collect Events From- IT Infra Complete
2.Which Events Will You Collect? Type of Events like Access, Auth, Activity
3.How Long Will You Keep the Logs? Time of rentention based on Regulation is has bind to
4.Where Will You Store the Logs? Storage like arrays depending on the volume
5. What type of Reports and Dashboards to get.
6. Risk Profiling and Threat Intelligence Scorecard RAG type detailing, Charting
7. Live Event activity and APTs called zerodays hit with forensic capabilities to deep dive.
→ What are the must-haves for a SIEM solution? I think to the point of Vikas, it is important to determine the size and scope of the device; however, the question was based on must haves, so if I were to answer the question it would the following:
• Monitor S,J,N flows of the network (network anomaly detection)
• High speed data-correlation from multiple devices and sources (data-correlation)
• Provide suggestions or point to the root cause (Intelligent)
• Provide historical analysis to determine fluctuations and differences in traffic patterns (baselining)
• Real-time charting with reporting features that can be exported to other graphical solutions (reporting)
• Provide threat analysis tools and threat detection using centralized global analysis (threats are sent to central processing center where they are analyzed for future updates if it is considered a zero day attack (future proofing the solution and threat analysis)
• Interfaces with the existing equipment where the SIEM acts as a brain to thwart attacks, it works directly with IPS, NAC, HIDS, NIDS, AV where the threats are sent to a correlation engine and the engine ranks the severity of the threat to perform an action of sort on a device (the session is sent to a honeypot instead of production) (NAC communication).
→ A few that I have used?
• Enterasys Netsight Atlas (now Extreme Networks)
• IBM Q1 Radar
• McAfee Nitro
• Security Onion (Opensource)
IT infra Assesment(HML), EPS Log estimation(Sizing), Compliance triggers , Security Intelligenge and Risk profiling realtime
Before the start of a SIEM , it is very important to set a scope. The scope is the driver behind SIEM and can be related to compliance, security and operations . It can be a combination of all three and should encompass the entire company. Its highly Imp to know the driver behind the SIEM. Also There should be Stretegic Voice acrocce the Company for Infosec as a whole. SIEM Market is still growing..and Most SIEM project fail because companies do not know what they need SIEM. SIEM is a Component of Secuirty Planning and Roadmap . Its Imp to have in mind that What happened? – When the Event happened?Why it happened? Can we Stop it?
RSA envision, Lancope and Splunk