WP: Tactics for avoiding failure in large SEM implementations

[nick.hutton () 360is com]

Over the last 18 months I've been called upon several times to "put right" security projects that have gone awry in the 
SEM/SIEM area. Generally the security department has several IDS/IPS systems feeding into a large Security Event 
Correlation and Management system in an attempt to "make some sense of the damn IDS" and change some of those console 
screens from "always on red".

I've gathered together all the lessons learned in the process of rescuing these projects, and present them in a short 
paper. I/we don't sell SEM/SIEM products so you will find the text pretty balanced, I've found shortcomings with every 
one of the 5-or-so vendors in this area. If it saves even 1 more failed project or wasted purchase then it will have 
been worth it. For those of you already part-way through an implentation of such a project, theres still some hope in 
there for you :-)

http://www.360is.com/downloads/360is-prep-sem.pdf


Nick

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------