I have had the pleasure of working on several SIEM/SEM implementations throughout the year(s). One of the main issues I face is that a big majority of the analysts that will be monitoring the system on a day to day basis come from a different BU or IT group within the company.

This doesn’t mean they cannot be successful but it is definitely a big task to interpret the data that is received from the SIEM/SEM in place. From my experience most places take the phased approach when deploying such a massive beast but are usually based on “what event sources are easier to import” vs “what event sources can compliment each other”. This IMHO is the first step in not overwhelming the end-user (Analysts).

When attempting to do analysis and investigate events is when you truly notice what event sources you are missing. I have IDS alerts for outbound HTTP attacks, but I don’t have Proxy logs to correlate them. By having the other event source imported into your infrastructure, you gained much more visibility as proxy logs can tie IP to user, user to request, etc… The ultimate goal is to minimize analysis time per event. We can take this a step forward and minimize event counts through the right selection of event sources when coupled together. An example would be having end-point (asset) information coupled with an IDS alert. Priority/Impact/Relevance will be impacted since correlating the two event sources together would show “SSH brute force attack” at target A, but asset information for target A shows port 22 as not open. If you trust your imported data, there would (in essence) be no need to investigate further.

I agree with the phased approach towards a deployment of this magnitude. Once you have your Phase 1 event sources chosen, sit down with your Analysts and figure out what other sources can compliment the ones currently chosen. Will you need FW logs? Proxy logs? Windows Event logs? during analysis. Just because you can throw tons of data into the SIEM/SEM system doesn’t mean it will add value to it. Increasing reporting devices ultimately increases daily event counts which makes the analysts job that much harder (You are tuning your reporting devices, right?). There are more steps you can take then just choosing the right event sources to minimize what the analysts see, for example a comprehensive network model. Knowing what particular business function a segment serves will compliment the tuning of your monitoring devices. Is DMZ A only Windows servers? No need to have Unix signatures enabled on your IDS devices, etc… I hope this approach can help someone that is tasked with deploying a SIEM/SEM infrastructure for day to day monitoring tasks. Next time we will touch base on automation and more correlation.