Re: Making /planing a successful SIEM/Log Management project

[aditya mukadam <aditya.mukadam () gmail com>]

Hello,

Last year I had chakled out few parameters while answering a question
on LinkedIn. Hope this helps.

1) What are the devices you want to integrate with SEM ?
Most of the SIEM vendors have agents(event collectors) for most of the
devices in market. However, few devices might still not be supported
by a specific SIEM vendor. So while selecting a SIEM solution,prepare
list of devices (platform/vendors) you want to integrate with SIEM and
run that list through the supported list.


2) Integration with your existing ticketing/alerting tool
If you have an existing ticketing/incident alerting tool, you would
want to check if the SIEM solution an be integrated with it. SIEM
solutions have there own ticketing module.if you are planning to use
that then ignore this point.


3) Alerts/MIBs
This point is different than the above. SIEM compromises of devices
sending their logs to agents/collectors.Different vendor products have
different agents.If you have range of products, you may land up with
more than 50 agents (depending on your design and network).Agents
would send this information to a central device and other devices for
co relation etc. The point is all these components needs to be
monitored. Many times it is difficult to get alerted if some component
failed.This can cause serious issues. So while selecting SIEM solution
make sure that you understand each component and its available
alerting mechanism.

4) Tweaking
You would need to configure the network devices to send the required
logs to the agent/collectors. So right level of logging should be
configured on the devices otherwise you would witness serious issue to
your network bandwidth and performance. After implementation, you
would need to invest lot of resources to fine tune the SIEM
solution.This would need you to define the type of alerting needed
which will help you decide the type of logging to be performed on the
end devices.

5) Ease of implementation w.r.t. existing network
You may find one SIEM solution to be good however make sure that this
can be integrated with ease along with your existing network. many
times after buying SIEM solution it is realised that there has to be
major network change to accommodate the SIEM.

6) Type of report
I would rate this as one of the important selection parameter because
at the end of the day you would want to get the required report. Check
the type of reports available and compare it with what you are looking
for. Check if you can customize the reports the way you need it to be.

7) Virtual Instance
If this solution is for MSSP then check if you can run virtual
instance of SIEM solution and have the right kind of isolation between
two customers.

8) Redundancy/HA
Check if SIEM solution can be configured for redundancy or HA. This is
important if SIEM solution is sold with high SLA.

9) Number of devices ?
SIEM solutions have specific licenses for number of devices. Make sure
you have the right license which can scale well for future
requirements.Also make sure that your SIEM solution can support the
number of devices (nodes).

10) Support
You need to find the right people to support this solution after
implementation.SIEM solutions are not easy to support.It would need
specialized team to handle it. Also, compare the efficiency of the
SIEM Vendor's TAC support during your time zone.Many times the main
team is in a different country which can cause long delays to
troubleshoot issues.

Thanks,
Aditya
CISSP,CEH,JNCIA_UAC,JNCIA-SSL, JNSA-Advanced Security, CQS-PIX,CQS-VPN

On Thu, Aug 20, 2009 at 10:48 PM, Chris Brenton
<cbrenton () chrisbrenton org> wrote:
> On Thu, 2009-08-20 at 14:29 +0300, pent 5971 wrote:
> > Hi,
> > I would like to ask for your experience in SIEM/ log management
> > projects. For you
> > what are the steps/ roadmap for a succesfull SIEM, log management projects?
>
> I wrote up a vendor neutral piece designed to walk folks through the
> process. You can find it here:
>
> http://www.chrisbrenton.org/2009/08/setting-up-a-security-information-management-system-sim-%E2%80%93-part-1/
>
>
>
> HTH,
> C
> ---
> www.chrisbrenton.org
>
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------