Before staring Decurity I spent a significant amount of time in the professional services arena of one of these SIEM vendors.  I also spent time in Several SOC and MSSP environments (and still do).  You can check out my full professional background on Linkedin for more details. 

I’ll do my best to focus on more than one SIEM product, but let’s be honest it will probably happen that I overwhelmingly focus on one vendor’s implementation.  One SIEM vendor has an overwhelming market share in large organizations and many of the lessons learned will apply no matter what SIEM you choose.  If you have expertise in other products and feel I misrepresented or undervalued their functionality and you feel the need to provide additional context – please do!  I love to learn. I’m serious I want you to share your expertise.

Positive Statements:
Through my experiences I’ve come to gain considerable perspective on nearly all SIEM and Log Management vendors. I have a lot of respect for the developers and hard working people at each of these companies so I will not “bash” products in this forum. I will do my best to show you how you can gain the most from the features and functionality through “best practices” for the products in your environment.

Perspective:
Most of the perspective I’ll present in the Best practices Series is from a Corporate/Government Enterprise Security Operations Center (or even MSSP) point of view.  Much of it will apply to anyone, but certain aspects of my recommendations may only apply to those situations where integrated Detection, Response, Prevention, Reporting and planning functions exist.  I’ll try and specifically call out when alternate activities may be more appropriate for smaller organizations.

Rationale:
I’ve been very quiet for a long time, (well at least online, those of you that have heard me speak or interacted with me know I’m not exactly quiet when it comes to this subject).

Recently I’ve been convinced it is time to share my perspectives.  If they help others, great, if they make people mad (I’ll apologize ahead of time), but it will be me – only censored by the remaining balance of patience I have at the point I write the post J

Certainly this blog series will benefits – I get to release some emotion, maintain a knowledge base for my future reference, maybe get one or two of you to consider my SIEM or SOC services, but in the end what is most important to me with this series is to remove some of the clouds and complexity around SIEM, set realistic expectations, share knowledge and expand the overall usability of these products.
Upcoming Blog Posts:
In this “best practices” series I intend on presenting information around the following subjects:

Default Content:  Based on a recent blog post over at my favorite blog (TaoSecurity) I am moving this posting up on my priority list.    In this “default content post I’ll try to provide context to the discussion about “disabling all the default content” that ships with the product.

Log management versus SIEM:  everyone else has comments (Anton, Raffy, etc) Now it’s my turn to add some context as to why I think these products exist and where I think they are headed.  And added in there – let’s talk about the new vendor buzzword “Platform”.

Event Sources:  What information should I send to SIEM, what is best used in Log Management, How to make the two work together, nicely.  Let’s talk about the value of information from Firewall versus Web Proxy, DNS Server, Email Server, etc.  Positives and Negatives about Vulnerability management integration.  And much more.  (this may be split up into several posts by technology depending on your input).

Reporting:  If I see another top 10 report presented to management, I will throw up.  Let’s discuss the reports that work.  Reports should drive action, or summarize information in a meaningful way.
        Metrics:  This is a evolving area that I’m learning.  I have some ideas here on measurements that I’ll present.
        Workflow:  Event Handling, Incident Handling and Escalation using your SIEM product.

Compliance/Governance:  A necessary evil, an in some cases the only thing keeping Security funded at reasonable levels.  How can we best use our SIEM technologies to provide the necessary support to Auditors and still maintain an overall enterprise security view?

User Contributed:  I’ll comment on your suggestions/topics in my forum based on comments, emails or questions we receive.

Lastly my apologies:
If I misspell a word or present my thoughts in a manner inconsistent with your supreme mastery of the English Language, I’m sorry.  I am certainly not a professional author nor an editor.  I write as though I was speaking one on one to you about a subject I’m passionate about so at times I run on, at times I will misspell words (especially if I type if from my iPhone).