Security Basics mailing list archives
Re: Making /planing a successful SIEM/Log Management project
From: aditya mukadam <aditya.mukadam () gmail com>
Date: Fri, 21 Aug 2009 08:04:28 +0530
Hello, Last year I had chakled out few parameters while answering a question on LinkedIn. Hope this helps. 1) What are the devices you want to integrate with SEM ? Most of the SIEM vendors have agents(event collectors) for most of the devices in market. However, few devices might still not be supported by a specific SIEM vendor. So while selecting a SIEM solution,prepare list of devices (platform/vendors) you want to integrate with SIEM and run that list through the supported list. 2) Integration with your existing ticketing/alerting tool If you have an existing ticketing/incident alerting tool, you would want to check if the SIEM solution an be integrated with it. SIEM solutions have there own ticketing module.if you are planning to use that then ignore this point. 3) Alerts/MIBs This point is different than the above. SIEM compromises of devices sending their logs to agents/collectors.Different vendor products have different agents.If you have range of products, you may land up with more than 50 agents (depending on your design and network).Agents would send this information to a central device and other devices for co relation etc. The point is all these components needs to be monitored. Many times it is difficult to get alerted if some component failed.This can cause serious issues. So while selecting SIEM solution make sure that you understand each component and its available alerting mechanism. 4) Tweaking You would need to configure the network devices to send the required logs to the agent/collectors. So right level of logging should be configured on the devices otherwise you would witness serious issue to your network bandwidth and performance. After implementation, you would need to invest lot of resources to fine tune the SIEM solution.This would need you to define the type of alerting needed which will help you decide the type of logging to be performed on the end devices. 5) Ease of implementation w.r.t. existing network You may find one SIEM solution to be good however make sure that this can be integrated with ease along with your existing network. many times after buying SIEM solution it is realised that there has to be major network change to accommodate the SIEM. 6) Type of report I would rate this as one of the important selection parameter because at the end of the day you would want to get the required report. Check the type of reports available and compare it with what you are looking for. Check if you can customize the reports the way you need it to be. 7) Virtual Instance If this solution is for MSSP then check if you can run virtual instance of SIEM solution and have the right kind of isolation between two customers. 8) Redundancy/HA Check if SIEM solution can be configured for redundancy or HA. This is important if SIEM solution is sold with high SLA. 9) Number of devices ? SIEM solutions have specific licenses for number of devices. Make sure you have the right license which can scale well for future requirements.Also make sure that your SIEM solution can support the number of devices (nodes). 10) Support You need to find the right people to support this solution after implementation.SIEM solutions are not easy to support.It would need specialized team to handle it. Also, compare the efficiency of the SIEM Vendor's TAC support during your time zone.Many times the main team is in a different country which can cause long delays to troubleshoot issues. Thanks, Aditya CISSP,CEH,JNCIA_UAC,JNCIA-SSL, JNSA-Advanced Security, CQS-PIX,CQS-VPN On Thu, Aug 20, 2009 at 10:48 PM, Chris Brenton <cbrenton () chrisbrenton org> wrote:
On Thu, 2009-08-20 at 14:29 +0300, pent 5971 wrote:Hi, I would like to ask for your experience in SIEM/ log management projects. For you what are the steps/ roadmap for a succesfull SIEM, log management projects?I wrote up a vendor neutral piece designed to walk folks through the process. You can find it here: http://www.chrisbrenton.org/2009/08/setting-up-a-security-information-management-system-sim-%E2%80%93-part-1/ HTH, C --- www.chrisbrenton.org ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Making /planing a successful SIEM/Log Management project pent 5971 (Aug 20)
- RE: Making /planing a successful SIEM/Log Management project Frye, Dan (Aug 20)
- Re: Making /planing a successful SIEM/Log Management project Chris Brenton (Aug 20)
- Re: Making /planing a successful SIEM/Log Management project aditya mukadam (Aug 21)