Beruflich Dokumente
Kultur Dokumente
Knowing your reasons for pursuing a SIEM deployment will help you to:
In this PCI DSS compliance example, you would likely want to focus on the security events and alarms that
are in scope of your PCI DSS environment. A key success metric would include having the ability to monitor
these events over time and report on them as needed in order to demonstrate to PCI assessors that you’re
continuously and fully monitoring your critical environments.
1: Know Your Use Cases First
Business Use Cases vs. Technical Use Cases
Keep in mind that there are key differences between business use cases and technical use cases. A
business use case is often high level, strategic, and provides rationale that can help you to secure executive
approval and funding for your SIEM deployment. A technical use case is often highly detailed and helps you
to operationalize the SIEM in order to achieve your business goals.
For example:
• Business use case (few) - Monitor all privileged user activity to satisfy PCI compliance requirements
• Technology use case (many) - Monitor and set up an alert for all sudo events on Linux servers, especially
failed root logins, and prioritize those that occur during specific time windows
If we take the privileged user monitoring example even further, it requires knowing:
Your SIEM use cases may relate to passing your next compliance audit or protecting the company’s
intellectual property. So, you should consider all of the critical apps and data your business relies on to
support customers and keep business operations running. Which apps house data that might be the target
of cyber criminals? Which apps contain data that may impact your compliance status (e.g. credit cardholder
data has implications for PCI DSS)?
When evaluating a SIEM, be sure you consider how you will monitor critical assets across all of your IT
environments:
• Physical IT infrastructure / networks
• Private clouds / virtualized IT (VMware)
• Remote sites and retail outlets
• Public cloud accounts (AWS, Azure)
• SaaS environments / cloud apps (Office 365, G Suite, and more)
Note: Apps like Office 365 and G Suite contain important information about user activity and can often be
“ground zero” for phishing attacks and other threats. Find out from your SIEM vendor if they can automate
the collection and analysis of log events from these enterprise SaaS apps. Otherwise, you could be missing
the full picture on emerging risks.
2. Identify ALL the Environments
You’ll Need to Monitor
Unify security monitoring across on-premises and cloud environments
In the past, enterprises had most of their data housed on systems in their own data center, with SIEM
sensors installed on each network to collect and consolidate all of the event log data across the LAN or
WAN. With the evolution of cloud computing, those days are long gone.
Today, the average global enterprise uses close to 1,000 cloud apps* across all departments in their
organizations.
Chances are, the most important data for your business is sitting on at least one or more cloud
environments. And so, as part of your overall effort to monitor all threats against that data, and to
achieve and demonstrate compliant processes, you’ll need to extend security monitoring to all of
those environments - from on-premises networks and data centers to the cloud, whether IaaS / PaaS
environments like AWS and Microsoft Azure, or SaaS environments, like G Suite and Office 365.
Find out from your SIEM vendor if they can collect, consolidate, and analyze event log data for all of these
environments (IaaS, PaaS, and SaaS). Ask them how they do it, and test them on this by including data from
all of your environments. If you’re ready to tackle the key questions to ask during your SIEM evaluation,
jump here to go directly to our SIEM Checklist: Questions for SIEM vendors.
*Source: http://chiefmartec.com/2017/06/average-enterprise-uses-91-marketing-cloud-services/
3. SIEM Alone Does Not Equal
Threat Detection
Complete security visibility requires a broad perspective – from a wide range of tools.
While a SIEM is great at collecting and correlating raw data, at the end of the day, you still need to tell the
SIEM what assets to monitor, what vulnerabilities those assets have, what type of traffic is coming in and out
of your network, and much more in order to detect and respond to a broad range of threats.
This means that your SIEM must play well with your other security controls in order to give you full visibility
into threats. What controls – at a minimum – are essential for feeding your SIEM?
Here are a few recommended security controls (and why they’re essential):
• Asset Discovery and Inventory – you need to know which assets are impacted by a particular threat,
especially if those assets are in scope of compliance
• Vulnerability Assessment – finding and addressing vulnerabilities before they’re exploited gives you
enhanced protection
• Host-based Intrusion Detection (HIDS) – advanced notice of suspicious activity on servers increases your
ability to stop threats in their tracks
• Network-based Intrusion Detection (NIDS) - advanced notice of suspicious network activity increases
your ability to thwart attackers, and it offers more information about an attacker’s techniques
• File Integrity Monitoring (FIM) – malware often targets critical system files, so monitoring these is
essential
3. SIEM Alone Does Not Equal
Threat Detection
Where and how do I find these data sources?
If you haven’t yet invested in these essential security controls, you may find great value in SIEM platforms
that include built-in security assessment and monitoring controls as a standard part of their functionality.
Multi-functional SIEM platforms produce a number of key benefits:
TIME TO VALUE
When you choose a SIEM solution that is already integrated with other essential security controls, you
significantly reduce the time and effort required to procure, deploy, integrate, and configure multiple point
security tools. Instead, you can deploy quickly and realize a faster time to value. Security-focused SIEM
solutions often include pre-built correlation rules to detect malware and more, so you can start to detect
threats on Day One.
COST SAVINGS
A unified SIEM generates upfront and ongoing cost savings. Instead of having to deploy, monitor, and
maintain multiple point security and compliance tools, a unified solution can provide a single pane of
glass for complete security monitoring and compliance management. This approach enables resource-
constrained IT security teams to achieve a strong security posture with fewer resources.
ACCURACY / PRECISION
Because detection is better coordinated among the built-in security controls, alarms are more accurate and
correlation rules more finely tuned than they would be for external / unknown data sources.
If you do already have some of these core technologies in place, then you’ll want to clearly understand what
it will take (how much time, money and effort) to integrate them with your SIEM and maintain that integration
as things change. Be sure to ask your SIEM vendor how they approach integration with other tools, and how
long this part of the deployment is expected to take.
4. Correlation Rules are the Engine
of Your SIEM
Correlation rules find the signal in the noise.
The secret sauce in any SIEM is what is known as “event correlation,” which filters through raw event log
data to find activity that signals something bad is happening now (or recently happened). Event correlation
rules are based on an understanding of how attacks unfold, so you’re notified whenever specific event data
consistent with an attack show up in your environment. Without correlation rules, your SIEM can’t deliver a
single alarm.
Keep in mind that in order to find threats and know what to do about them, you’ll need to know:
If you must write and update your own correlation rules, you’ll need to think through the following for each
threat you want to detect:
What would be some event types, and their sequences that might indicate this scenario?
Example – Someone tries unsuccessfully to log onto the domain controller using the Admin account, and
then there’s an unscheduled reboot of the same system.
→→ Include 1-2 of these in your SIEM test cases and POCs.
Which devices would be in scope for catching a scenario of this type?
→→ Make sure you add these devices as data sources first.
→→ Pro-tip: Remember… the “pre-step” is to find them - that’s why automated asset discovery is a must-have
for SIEMs.
What is our incident response strategy for when these scenarios happen?
→→ Develop Standard Operation Procedures (SOPs) and train staff. Make sure your SIEM supports built-in
documentation for your SOPs.
→→ Do SIEM alerts include customized guidance, and click-through detail on assets, their owners, contact
info, etc.?
Be wary of any SIEM vendor who cannot show you their event correlation rules, or explain their
methodology for identifying, correlating and categorizing events and event sequences. In fact, their lack of
transparency may be hiding the fact that they don’t know what to look for, and are expecting your team to
write, test and implement event correlation rules. And no one has any time for that.
5. Consider How to Integrate
Threat Intelligence.
Threat intelligence should contain all of the characteristics of a threat, as well as other analysis
to help IT teams defend themselves from that threat.
Admittedly, the entire security monitoring process can’t be automated. That said, there are still
opportunities for automation and security orchestration to accelerate response and streamline the
incident response process. Specifically, your SIEM platform may be able to orchestrate security
“playbooks” on your security devices such as Carbon Black endpoint security, Cisco Umbrella or
Palo Alto Network Next-Generation Firewall. These playbooks consist of things like having a SIEM
alert trigger an automated rulebase change for a specific IP block on a Palo Alto firewall.
Ask your SIEM vendor if they can extend their platform for consolidated threat detection and security
orchestration and automation. Find out which third-party apps and IaaS environments they support.
Additionally, find out if their alerts provide expert guidance on how to interpret the threat and how to
respond to it.
• Key need: “Real-time alerts and alarms are great, but if I don’t know what to do with them, they just
become more noise.”
• Key feature: Receive alerts prioritized by threat severity, automate and orchestrate security defenses,
receive expert guidance on actions to take, as well as the latest intelligence on emerging threats and how
to mitigate them.
It shouldn’t require more work.
• Key need: “I need to pass an audit now, I can’t afford a months-long deployment or complicated manual
integration projects.”
• Key feature: Essential security capabilities that are already built-in, along with out-of-the-box compliance
reports and extensible integrations with dozens of security vendors to deliver security automation and
orchestration.
Process Makes Perfect.
In the next section, we’ll outline the key steps of your SIEM evaluation process. After all, when you’re making
an investment decision that can affect your overall security and compliance posture, it’s important to have a
well-documented and disciplined process and keep all stakeholders informed on your progress.
Summary
SIEM Evaluation Process Stages
Phase 1 - Initial Review
Key Activities - Determine the set of vendors you’ll review and evaluate, based on the criteria we’ve
included in this guide along with your business goals.
Pro-Tip - Try to choose at least two to three vendors that you will spend time “kicking the tires” during a
Proof of Concept (POC). Not all vendors will qualify for an investment of your team’s time and attention
during an in-depth technical evaluation.
Pro-Tip – Look for vendors that offer a free trial so you can actually go through the deployment process
before purchase. Design test cases that are as close to your real-world priority needs as possible. Find out
how easy it is to go from installation to insight with the SIEM.
Pro-Tip - Include all key stakeholders in this process and document key reasons for selecting the chosen
vendor (because that may come in handy at renewal time).
SIEM Checklist:
Questions for SIEM vendors
What can I do if I don’t have all of the external security technologies in place that can feed the SIEM (e.g.
asset inventories, IDS, vulnerability scans, etc.)?
• Ask during the Initial Review phase. Any SIEM vendor who assumes you have these tools already
in place likely doesn’t have the breadth of functionality you’ll need for fast answers. Eliminate from
consideration, it’s not worth your time.
• Why is this important? It takes a lot of time, staff, and resources to purchase, install, and configure the
essential security controls to feed your SIEM. You can accelerate this with a SIEM platform that includes
these capabilities.
What is the anticipated mix of licensing costs to consulting and implementation fees?
• Ask during the Initial Review phase: Find out what the ratio is. If implementation costs 30-50% of the
overall cost of the investment, walk away. Fast.
• Why is this important? This question gets to the heart of how challenging the deployment process will be.
It will also expose if their claims of “out-of-the-box” functionality are truly solid.
How many staff members or outside consultants will I need for responding to SIEM alerts and managing
the system overall?
• Ask during the Initial Review phase: The answer to this could inform whether or not you’ll need to
outsource SIEM management to an MSSP, or explore some degree of MSSP support.
• Why is this important? If your team can’t realistically respond to alerts in a timely fashion, it may be time to
consider an MSSP to manage your SIEM platform.
SIEM Checklist:
Questions for SIEM vendors
How long will it take to go from software install to security insight?
• During the trial/POC phase: Ask them, and then make them prove it. Document how long it takes to install
the software, detect data sources (is it automated?), pull and analyze log data from at least three data
sources, and start issuing alerts and running reports.
• Why is this important? Speed of detection is the number one success factor for preventing a data breach.
How many staff members or outside consultants will I need for the integration work?
• During the trial / POC phase: Include at least one to two external data sources to pull data from.
Document how many people it takes for the work, and how long it takes (and multiply that by all the other
sources you’ll need.)
• Why is this important? Fast integration with your entire ecosystem is a critical factor for ensuring a
complete security picture.
Do alerts and alarms provide step-by-step instructions for how to mitigate and respond to
investigations?
• During the trial/POC phase: Recreate an event that you would expect would trigger an alert, and evaluate
how much info is provided to fix the issue.
• Why is this important? Cryptic alerts that leave no indication of what to do slow down incident response
and increase risk.
Bottom Line: After thorough evaluation, your final SIEM selection decision will likely be based on a
combination of objective and subjective criteria such as perceived value, trust and credibility in the vendor,
as well as how easy it is to get started and manage over time. Good luck and good threat hunting!
Go Beyond SIEM with AlienVault Unified Security Management (USM)
Features: AlienVault USM Traditional SIEM
Management
Log Management ✓ ✓
Event Management ✓ ✓
Event Correlation ✓ ✓
Reporting ✓ ✓
Security Monitoring Technologies:
$$
Asset Discovery Built-In
(3rd-party product that requires integration)
$$
Network IDS Built-In
(3rd-party product that requires integration)
$$
Host IDS Built-In
(3rd-party product that requires integration)
$$
File Integrity Monitoring Built-In
(3rd-party product that requires integration)
Cloud Monitoring $$
Built-In
(AWS, Azure, Office 365, G Suite) (3rd-party product that requires integration)
$$
Vulnerability Assessment Built-In
(3rd-party product that requires integration)
Additional Capabilities:
www.alienvault.com