Last week I attended the Boston SecureWorld Expo (http://www.secureworldexpo.com/).  I found it to be a worthwhile event with some good sessions and a chance to meet up with some of my colleagues of the IT Security Profession. 

One of the sessions I attended was a panel discussion with various IPS and NAC vendors such as Tipping Point, ForeScout and TopLayer.  At the beginning, it was fairly embarrassing as each of the vendors introduced themselves, each one espousing why their product was better.  After the initial boasts, the questions got down to the nitty gritty of the subject area of where an enterprise should leverage IPS and/or NAC.

All of this discussion, got my mind going and a question formulated itself in my mind.

SIEM Best Practices:  Basic Correlation and Default Content

As awesome as correlation can be (and it can be phenomenal) correlation can’t overcome lack of context.  Correlation Rules work best and more efficiently if you can provide them with some basic boundary conditions.  The more focus and context you provide the more specific the results will be and the more automated your responses can be (in a word – efficiency). 

SIEM Best Practices:  Before you buy.

Knowledge of your Enterprise:  This is the single most important factor to a successful SIEM deployment.  IMHO, you simply cannot have a successfully deployed SIEM product without significant knowledge of your environment.  Here is some of my rationale on this subject.  As awesome as correlation can be (and it can be phenomenal) correlation can’t overcome lack of context.  Correlation Rules work best and more efficiently if you can provide them with boundary conditions.  The more focus and context you provide the more specific the results will be and the more automated your responses can be (in a word – efficiency). 

SIEM Best Practices:  Very Basic SIEM Implementation Success Criteria
For purposes of this blog entry I’m defining a very basic successful SIEM implementation as the SIEM product working in a meaningful manner for you and not the other way around.  Here are some basic measurements of a successful SIEM implementation:

Meaningful Data into and out of the system.
Enhanced Analysis Processes
IT Security Workflow Enablement
Enterprise Risk Management Measurements.
Understanding that this SIEM is simply one of your tools!

Before staring Decurity I spent a significant amount of time in the professional services arena of one of these SIEM vendors.  I also spent time in Several SOC and MSSP environments (and still do).  You can check out my full professional background on Linkedin for more details. 

I’ll do my best to focus on more than one SIEM product, but let’s be honest it will probably happen that I overwhelmingly focus on one vendor’s implementation.  One SIEM vendor has an overwhelming market share in large organizations and many of the lessons learned will apply no matter what SIEM you choose.  If you have expertise in other products and feel I misrepresented or undervalued their functionality and you feel the need to provide additional context – please do!  I love to learn. I’m serious I want you to share your expertise.

Decurity welcomes you to our little corner of the blogoshpere.