SIEM/SEM and Event Sources

I have had the pleasure of working on several SIEM/SEM implementations throughout the year(s). One of the main issues I face is that a big majority of the analysts that will be monitoring the system on a day to day basis come from a different BU or IT group within the company.

This doesn’t mean they cannot be successful but it is definitely a big task to interpret the data that is received from the SIEM/SEM in place. From my experience most places take the phased approach when deploying such a massive beast but are usually based on “what event sources are easier to import” vs “what event sources can compliment each other”. This IMHO is the first step in not overwhelming the end-user (Analysts).

When attempting to do analysis and investigate events is when you truly notice what event sources you are missing. I have IDS alerts for outbound HTTP attacks, but I don’t have Proxy logs to correlate them. By having the other event source imported into your infrastructure, you gained much more visibility as proxy logs can tie IP to user, user to request, etc… The ultimate goal is to minimize analysis time per event. We can take this a step forward and minimize event counts through the right selection of event sources when coupled together. An example would be having end-point (asset) information coupled with an IDS alert. Priority/Impact/Relevance will be impacted since correlating the two event sources together would show “SSH brute force attack” at target A, but asset information for target A shows port 22 as not open. If you trust your imported data, there would (in essence) be no need to investigate further.

Posted by Albert Gonzalez on 05/31 at 03:23 PM

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below:


Next entry: Mischel Kwon - June 2008

Previous entry: Virtualization and Security - The Operators Handbook (Introduction)