Sara Peters at Information Week recently posted an article titled “SIEM Case Study: Israeli e-government ISP” In this article, Assaf Keren, information security manager at the Israeli e-government ISP Project (called “Tehila”) calls our attention to some very important details to consider when Implementing a SIEM. Keren’s advice is that a successful SIEM implementation requires:
1. Detailed planning,
2. Fastidious attention to detail,
3. Superb communication between concerned parties
4. Attentive oversight of vendor activity.
Another Key Point from Mr. Keren - don’t outsource this “theory phase.”
Note: I agree with Mr. Keren that the SIEM requirements have to be driven from within your organization. However, I believe that expert external entities can and should help drive discussions and help extract and refine requirements from your team. Obviously, the expert external entity MUST NOT be from a Vendor or reseller of any SIEM Products.
Looking back over hundreds of SIEM deployments and seeing so many consistent decisions (or indecisions) that adversely affected the success of the SIEM I felt compelled to add a bit more context to augment the lessons Mr. Keren shared.
Overview:
1. It takes a village, building planners, city inspectors, etc: Probably, the most important takeaway from this post is that you should take the necessary time to fully comprehend and vet your requirements, as well as decide on your service delivery model, gain consensus on that approach and have realistic expectations along the way. SIEM failures are more often the fault of poor planning, moving tactically while ignoring the strategic nature of the project, or simply misaligned expectations rather than a pure technology failure.
2. Know what you are going to do with the Output before you make it Input: It is tough to make sense (and therefore derive any value) out of billons of events by adding even more events to be evaluated into the mix. Intelligent Collection, Analysis, Escalation and Remediation and workflow efforts defined before you start (and refined along the way) means that you’ll have a better idea what to do with the information your presented and a much higher chance for success in both end-user usage of the system and aligning that usage of the SIEM with the needs of your organization’s security or compliance program.
3. Purchase the “right” technology, but do it incrementally: Quite candidly some SIEM products should be avoided at all costs, however it should be noted that most of them can at least be used to help you meet some very basic requirements. Consider your business and technical requirements over a 24-month period, but only purchase what is necessary to deliver based on the next 6 months of work you expect to get accomplished. The system needs to be flexible to support all of those upcoming needs, but there is no need to spend money today to support tasks you won’t even consider touching for over 12 months.
A successful SIEM tool supporting your organization’s Security and/or Compliance needs really boils down to some very simple concepts:
Define Success
Have a strategic vision about how you want your Security Operation and/or Compliance Program to run and use that to help define requirements for how the SIEM (and Log Management) tools will provide input or drive workflow related to that Program. Involve all the stakeholders early and keep them engaged along the way!
• If your rationale for buying a SIEM is PCI Compliance, STOP.
• If your rationale for investing in SIEM is to provide “x”,”y” and “z” data sets to business unit “a” and “b” and initiating workflow for your SOC; and you understand the event sources necessary/business logic to compile the data sets for each customer; and you fully understand how they intend to use that information the you are much closer to being ready to work with a SIEM.
Related Resources:
• SIEM: Basic Implementation Success Criteria
• SIEM: Before you Buy
Plan Accordingly
SIEM is not an overnight project, and yes even an Appliance-based SIEM’s require significant attention to work to their maximum potential for your organization.
• Gather requirements from all “stakeholders” Compliance, Legal, IT, Business Units, Security, Executive, everyone that will help you get information into the SIEM or receive information from the SIEM (or your service offering that leverages SIEM).
• Define Event Sources based on end-user needs: Security, IT Operations and Compliance teams all have distinct needs and therefore may require different event source information. At a minimum they may require different “views” of similar information set available in the SIEM or Log Management Tool. Ensure you have the proper information sets, logging at the right levels and the information is available in a logical and meaningful manner.
• End-User Requirements are the most valuable. The more your team understands how your “customers” value the data and service offering the more you can benefit from the functionality of the SIEM.
• Analytical and Workflow Requirements. Security Analysts need to be able to quickly identify, analyze, prioritize and escalate the data with context in order for the SIEM to meet its most basic functions. This functionality is not as common as you would think across different SIEM’s. Be sure that the SIEM integrates with your workflow systems in an acceptable fashion.
Related Resources:
• SIEM: Best Practices in Collection
Vendor Selection
Now that you have your requirements documented and prioritized compare them against SIEM: Evaluation Criteria and refine them even further…
• Either partner with an expert that can tell you exactly why certain Vendors can not meet your needs (today/tomorrow) and compare those answers a n honest discussion with the vendor or invest in a Pilot in an effort to prove out ALL of your requirements (not just the top three.)
• Make sure you have data either directly from production event sources or a reasonably similar source. If you use combined Log Management and SIEM architecture, make sure you can configure outbound events in a format the SIEM can comprehend for more than just Syslog events. If the SIEM can natively handle ODBC but your architecture requires Log Management to be the Collection Tier and forward events to the SIEM – How does the LM reformat those events and how does the SIEM handle that data?
• Customer Referrals are nice, but be careful. I’ve seen this scenario too many times. Victim asks a SIEM Reference Client about a key area of concern, say scalability and the reference client dutifully answers the questions with a resounding “Yes, the $VENDOR scales to meet my global organization’s amazing needs” in all the excitement it was overlooked that it takes 100+ systems to get there and oh yeah, by the way none of these SIEM systems can cross correlate information. As your requirements are defined, build out testing plans if the requirement is that critical and test it prior to purchasing.
• Maximize your dollar. Ensure the vendor is prepared to partner with you for the long haul, you both have a vested interest in the success of the program – make sure they are going to be there for you
• Find out the vendor’s fiscal period and plan your purchase accordingly. Fiscal Quarter end and Fiscal Year end are great times to make deals (especially enterprise deals) with vendors.
• Purchase what you need not what you want. If you don’t have a documented requirement that you can reasonably achieve in the next 6 months don’t buy it yet. Conversely, don’t skimp on things you absolutely do need. If you have a requirement to store 8 Billon events a day over a 10-year period and you expect to do that with local storage or even DAS, NAS. Stop and rethink things a bit.
Focused Effort:
Ensure that you have dedicated enough time and energy to the success of your SIEM Effort. If you are a large enterprise this is at least 2 FTE’s or an Expert Partner
Seriously, Requirements Gathering, Vendor Selection, Pilot, Implementation, Initial Operating Capability, Operational Refinements, Final Operating Capability (Formal Service Delivery), On-going Enhancements, Patches, Upgrades, Lab Testing, Additional Content Tuning, Expansion and the related Coordination, Planning, Execution, Oversight and Measurements is enough to keep an entire team busy. Doing all of that within the framework of your overall Strategic Security Program and not just tactically solving issues as the “pop-up” on a daily basis is the key to success with SIEM and ultimately your entire security and/or compliance program.
Having the wrong team or not listening to the right team is about the same as not having resources at all. Spend the time to ensure your SIEM team is baked into your Security/Compliance Program(s) so they can help you plan for today and tomorrow and save a lot of headaches in new hardware, storage or even total SIEM replacement. If your not ready to dedicate the right Resources/Partner’s then you may be better off waiting and then introducing SIEM into your organization when the requirements, proposed solution and funding are more in line.
Lifecycle Planning
This goes way beyond simple O&M tasks. SIEM is part of your overall Security Program and as such need to stay in step with that Program. Your SIEM Team (Partner) needs to be involved along the way to help ensure compatibility and/or flexibility as you evolve. Service Delivery, Technology, Business and Compliance requirement changes and/or reprioritizations can all have a significant impact on the success or failure of the overall program. The tighter the team is with the thought process around those upcoming changes the more likely your SIEM Program will meet your needs.
Recently, ArcSight announced ArcSight ESM 4.5. ArcSight ESM 4.5 introduces a new feature called Use-Cases. This functionality goes a long way to help ArcSight users have a better understanding of the relevance of ArcSight Content packages as Use-Cases. This is functionality I've been a proponent of since about 2003. It is a walk through of all the necessary steps to make a Use-Case for your environment – as well as mechanism to explain existing Use-Cases. The bundling of Network Modeling and Use-Case into a wizard is a large step forward for ArcSight in the effort to make SIEM easier for users.
This post describes ArcSight’s new Use-Case and Network Modeling functionality and also serves to describe quickly how Decurity is providing ArcSight use-case content through our Decurity D3 Service that will leverage this ESM 4.5 functionality quite extensively. Don’t worry the content is focused ArcSight ESM focused, not a sales pitch.
This post is organized in the following manner:
1. Pre-requisites: Network Modeling, Use-Case Installation, Decurity D3 View
2. Use-Case Wizard Walk Through
3. Best Practices: Lab Environment Testing
Use-Case Prerequisites: Network Modeling
Use-Cases require you to configure/specify systems that will apply to the content provided in the Use-Case. For example, defining which hosts have PCI data within them and therefore fall into “PCI” monitoring Use-Cases.
As part for ESM 4.5 ArcSight has improved and integrated a previous “professional services” tool called “asset import” into a default ESM tool.
To launch this tool you log into the ArcSight ESM Console and select Tools > Network Model.
This will launch a GUI to walk you through importing Zones, Assets, Asset-Ranges.
Note: You will have to have your CSV files created ahead of time. The format of the file and available customizations are defined further in the ArcSight Documentation.
Use-Case Prerequisites: Install Use-Case Bundle
ArcSight provides several example Use-Case Packages(.arb) on the console system for you to test and gain a better understanding.
These default use-case packages are available in the ARCSIGHT_HOME/current/jumpstart directory.
The following Use-Case Packages are available by default:
• ArcSight-JumpStart-for-PCI.1.0.5787.arb
• ArcSight-JumpStart-for-Perimeter-Monitoring.1.0.5788.arb
• ArcSight-JumpStart-for-SOX.1.0.5789.arb
• ArcSight-JumpStart-for-User-Monitoring.1.0.5790.arb
Note: Installation of Use-Case should be an “Administrator” user(s) only.
The installation of these use-case packages is exactly the same as any other “Package”, Navagate to Packages, Click import, select the package (.arb) file you wish to load/import and follow the prompts.
The system will then verify and import the resources into your manager. The use-case packages will also load a GUI walk-through.
Use-Case Prerequisites: Decurity D3 Content Subscription
If you are a Decurity D3 Customer you may also download new/updated content from our Decurity support portal.
Decurity D3 Workspace:
Decurity D3 Content Download:
Decurity's Content is organized by Event Source(s), Problem Set and Solution (Use Case). It is easy to search, identify and download appropriate content. Content is provided by Decurity on a periodic basis, or On-Demand per Decurity D3 customer requests.
Use Case Wizard Overview: Introduction Panel
The Introduction panel describes the purpose of the use case.
Use Case Wizard Overview: Prerequisites Panel
The Prerequisites panel describes required actions or information needed before continuing with the Use Case wizard.
NOTE: Your network should be “modeled” before using the Use Case wizard to configure the use case.
Please carefully review ArcSight Documentation and Help functions in this wizard to better understand file formats for Zones, Assets and Asset Ranges.
There are some additional configuration options in the Wizard once the data is available. The documentation does a great job of explaining these features.
Use Case Wizard Overview: Confirm Event Sources Panel
The Confirm Event Sources panel lists the relevant event sources that send events to ESM via a SmartConnector for the specified use case. ArcSight SmartConnectors collect log data from existing event sources and generate events that are sent to ArcSight Logger or ESM.
Action: As appropriate for your environment, confirm the event sources that are configured with an ArcSight SmartConnector and supplying events to the ArcSight ESM for this use case.
Note: The Confirm Event Sources panel in this wizard is informational only.
IMPORTANT NOTE: The resources in the use case are driven by these events and without the event sources, the use case does not generate output.
Use Case Wizard Overview: Configuration Panels
The configuration depends on the ArcSight use-case you are setting up.
In the configuration phase you are asked to enter the values that apply to your environment. The values you provide are used to populate the settings in the resources that make up the use case.
The Use Case wizard displays the following types of configuration panels:
• Categorize Assets, Zones
• Active Lists
• Notification Configuration Expiration Time, Notification Rate
• Report periodicity configuration (Daily, Weekly, Monthly, Quarterly, Yearly)
Use Case Wizard Overview: Summary of Settings
After clicking Next, the settings are applied to applicable Data Monitors and Rules for the use-case.
It’s Alive:
The configuration of the use case is complete. If the event sources for this use case are configured with an ArcSight SmartConnector and are sending events to ArcSight ESM the output should be obvious:
• Content in the use case such as rules, data monitors, and queries start processing events
• If the conditions in the use case are met, data is provided to the output resources of the use case such as reports, active channels, dashboards, and cases.
Best Practices: Testing it - Lab Environment
If you do not have production event sources or similar event sources in your lab environment you can at least duplicate the event data by copying off some of the production data and bringing it into the lab environment. ArcSight provides some tools to assist with this effort.
Step 1: Create Replay Files
Log in to the ArcSight ESM manager and run 'arcsight replayfilegen' from the manager/bin directory. You will then be prompted to log in as Administrator or similar user, select the time range you wish to export, any filtering options, obfuscation options and an output replay file name.
Note: The replay file size is dependent on your timeframe and applicable filters but in general is usually several GB in size.
Step 2: ArcSight “Test” SmartConnector
You can install/configure a “Test” ArcSight SmartConnector to read, process and forward events from the file created in Step 1. The output is your replay (.events) file.
Note: For easiest usage copy the replay (.events) file into the “current” directory of the ArcSight SmartConnector.
From the ArcSight Connector Home/bin directory you will launch “arcsight agents” and this will launch a GUI that will allow you to select your replay file and will begin streaming those “production-like” events at the rate you specify into your Lab ArcSight ESM Manager.
Review, measure and tune the content to your environment and needs. Remember to look for things like CPU, Memory Utilization as well as things like “Rules Partial Matches” and of course the actual number of correlation triggers. Every environment is different and will require some tuning to make it work at the most optimal level for your needs. If you need help – just reach out we’re here for you!
Created by: Rocky
Category: ArcSight • Category: Rocky's Blog • Category: SIEM/SEM • (0) Comments • Permalink