Like many things in the IT world, many executives are led to believe that just implementing a SIEM will be a reason for great rejoicing as all their security problems go away.  Unfortunately, this is not the case.
Successfully implementing the technology to perform security event correlation is the beginning of a journey, a journey that has many benefits, some foreseen, and many unforeseen.

In Paul’s previous post, Is the Next Generation of Security Monitoring Around the Corner?  , he highlighted that “poor implementation” is one of the core issues with SEM implementation.  With my IDS Analysis background, I approach projects from the perspective of, “How can I augment my analysis with more valuable information (aka: make my life easier ☺)?” 

The purpose of this article is to provide some practical advice on some of the event source requirements, while implementing a SIM from an analytical perspective.  I understand that this approach is not always possible, given the available team/resources/budget, but some of the lessons learnt and recommendations can still be applied.

This post is a follow up to my previous posts related to SIEM Best Practices:  “SIEM: Before you buy” ,  “SIEM: basic correlation and default content”  and “SIEM: Basic Success Criteria”.  It is my hope that this information provides you with valuable insight into the best possible approaches for Log Management, Security Information, and Event Management and Security Operations for your organization. 

Arcsight recently announced a new product, called IdentityView, which links a user’s identity and role to his or her IT activity.  This is an important move and reflects a growing trend in Security Event Correlation systems that, I think, will move the security-monitoring model into the next phase of evolution.  The SIM vendors out there are starting to move up the ISO stack.