Scribd
Upload
42 views3 pages

SIEM Selling

SIEM (security information and event management) technology provides real-time monitoring and historical reporting of security events from networks, systems, and applications. While compliance drives initial SIEM funding, organizations should also use SIEM to improve security operations, threat management, and incident response capabilities. Log management has also become an important requirement for SIEM solutions due to PCI DSS requirements and its usefulness for breach investigation and forensics. An optimal SIEM solution supports real-time collection and analysis of log data as well as long-term storage and reporting while being easy to deploy and maintain.

Uploaded by

Morgan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views3 pages

SIEM Selling

SIEM (security information and event management) technology provides real-time monitoring and historical reporting of security events from networks, systems, and applications. While compliance drives initial SIEM funding, organizations should also use SIEM to improve security operations, threat management, and incident response capabilities. Log management has also become an important requirement for SIEM solutions due to PCI DSS requirements and its usefulness for breach investigation and forensics. An optimal SIEM solution supports real-time collection and analysis of log data as well as long-term storage and reporting while being easy to deploy and maintain.

Uploaded by

Morgan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

What is SIEM?

Security information and event management (SIEM) technology provides real-time monitoring and
historical reporting of security events from networks, systems and applications.

SIEM deployments are often funded to address regulatory compliance reporting requirements, but
organizations should also use SIEM to improve security operations, threat management and incident
response capabilities.

Compliance, Log Management, Security and Fraud Detection


Although compliance drives SIEM project funding, most organizations also want to improve external
and internal threat-monitoring capabilities. As a consequence, there are requirements for user activity
and resource access monitoring for host systems, and real-time event management for network security.
Adoption of SIEM technology by a broad set of companies has fostered demand for products that
provide predefined compliance reporting and security monitoring functions, and ease of deployment
and support. The primary driver of the North American SIEM market continues to be regulatory
compliance. More than 80% of SIEM deployment projects are funded to close a compliance gap.
European and Asia/Pacific SIEM deployments have been focused primarily on external threat
monitoring, but compliance is becoming a strong driver in these regions as well.

Log management functions have become a more important customer requirement because of the
following factors:
• Payment Card Industry Data Security Standards (PCI DSS) requirement for log management
• The usefulness of detailed and historical log data analysis for breach investigation and general
forensics
• The ability to employ log management in front of a SEM-focused deployment to enable more-
selective forwarding of events to correlation engines (thereby, reducing the load on the event
manager and improving its scalability)
Application layer monitoring for fraud detection or internal threat management continues to evolve as a
use case for SIEM technology. SIEM technology is being deployed alongside fraud detection and
application monitoring point solutions to broaden their scope. These projects have been undertaken by
large companies in industry vertical markets, such as financial services and telecommunications, as an
internally justified security measure. A number of SIEM vendors are beginning to position their
technologies as "platforms" that can provide security, operations and application analytics.

An optimal SIEM solution will:


• Support the real-time collection and analysis of log data from host systems, security devices and
network devices
• Support long-term storage and reporting
• Not require extensive customization
• Be easy to deploy and maintain
• Ease of deployment, ease of support and log management functions are weighted more heavily
than advanced event management functions or the ability to heavily customize an SIEM
deployment.

SIEM sizing requirements


There are many SIEM / log management solutions available on the market today but I’ve tended to see
SIEM solutions sized in two distinct ways to date by a number of vendors.
1. Sized on number of log sources (server, network device, workstation etc) – Vendors include
Assuria Log Manager ALM, Solarwinds Event Manager
2. Sized on Events Per Second (EPS) numbers – Vendors include LogRhythm, LogLogic, NetIQ
Sentinel, Arcsight, RSA Envision, Q1 Labs, Netforensics
The SIEM sizing methods is more aligned to the specification of the appliances on the hardware based
models where as the software based or virtual appliance SIEM vendors tend to integrate in existing
SQL instances or use PostGres as a free database store with capacity.

We’ve shown an example for EPS calculations below where as the calculations for log sources on
sizing can be as simple as counting the numbers of devices and applications that you want to collect
logs and events from.

Events Per Second, or EPS, as it is commonly referred to in the world of network security, is a
measurement that is used to convey how fast a network generates data from its security devices
(firewalls, Intrusion Detection Systems (IDS), servers, routers, etc.), and/or how fast an SEM product
can correlate data from those devices.

Firewalls < 500 EPS


IDS/IPS < 500 EPS
Network Switch < 50 EPS
Network Server <10 EPS
Network Router < 1 EPS

Example EPS
If an organisation had two firewalls, two network switches, one router, and four servers

Firewalls 1000 EPS, Switches 100 EPS, Router 1 EPS, Servers 40 EPS = Total 1141 EPS

Each vendor will measure EPS differently so it is good to get an understanding of their measures to
help with the calculations.
What to monitor on a SIEM solution
Knowing what to monitor on a SIEM solution is key as there is a huge amount of data that can be
generated from server, appliances and applications and in order to understand key interesting events
you need to filter out the less interesting information that is captured.

Some people refer to the huge amounts of less interesting information as ‘Noise’ and there can be huge
amounts of it when selecting policies to collect everything.

A more pragmatic approach would be to start collecting key interesting events and then to build the
amount of information collected to match your own capabilities to act on the results.

Interesting events to monitor


Interesting events obviously change with each customer but I’ve created a list of typical Success and
Failures that could be interesting to review.
• Audit account logon events
• Audit account management
• Audit directory service access
• Audit login events
• Audit policy change
• Audit privilege use
• Audit process tracking
• Audit system events
• Audit object access
• Audit firewall traffic

SIEM Data retention policy


SIEM solutions are going to gather a lot of data over time and it’s important to think about the data
retention over time as this can play an important role in sizing the solution and also in understanding
how logs could be archived and brought back for investigation in the future if required.

You can start to understand why appliance based solutions have such a strict requirements gathering
exercise when thinking about the sheer volume of data that they can gather as they need to allow
sufficient space for growth unless that can offload data to some other disaster recovery format.

IT Security compliance can set the retention period in some cases and so can legal requirements for
some industry sectors. There are so many different business areas that have stipulations on data
retention that it’s worth doing some investigation on this before starting any SIEM sizing but I would
like to think that most data owners would be aware of their own requirements from the start.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy