The time that security was “just something extra” for a company is long gone. Now that attacks and their associated losses are common occurrences, the need for security is one of the top priorities for organisations of all sizes. Getting ‘good’ security could easily eat up vast sums of money without making a big impact to your safety, so understanding which tools you need is an important concern. The key part of any mature security solution should be Security Information and Event Management, known to the industry as a SIEM solution. It can provide all the relevant information about the systems, from simple event logs (who logged in and when) up to system processes and activity tracking.
Identification and separation
How easy is it for a company to choose the right tool, and so get the right results, without spending a year’s budget? The answer here is not fixed, as different businesses have different priorities. There are however a few steps that will help identify an organisation’s best bet. As a first step, identifying assets of critical importance is essential (the scope). Depending on the environment in question, it could can be a single system, a whole 0/24 subnet of systems or even everything on a company’s network. Getting the right scope is paramount, as it’s how you can save a lot of time and resources. Identification of the parameters of the system is the next step. It might sound easier to say, “Monitor Everything”, instead of selecting only the important services. Though this might seem like a good idea, with such vast amounts of data it could quickly spiral out of control – especially in the case of a breach. Where do you start? You have a huge amount of information, mostly irrelevant, and you are looking for a single event that can show what happened. In cases like this, it can take much longer to discover the crucial when, where and why.
Indexing and visualisation
After you have identified what you need and what you don’t, it is time to separate them. It’s easy to say that all logs from Machine X go there and everything from Machine Y go here. This, however, is not the right way. A proper SIEM solution can provide indexing options that will help you manage the logs easier. Indexing based on the type of the log is the best option, as you can refer to what you are looking for. For example, are you looking for DNS logs, exchange, logs from snort, etc? Indexing done! You have identified what you need, what you want, and how to store it. The best way to proceed is to have an easy-to-read visual interface. There is no need for long lines of messages describing the event and holding all the information that someone might need. In fact, if everything is on a single line it will be more difficult to apply filters for better visualisation. What is it good for if everything is there but in order to read and extract the information you want you have to go line by line? It is much preferable to separate the logs based on the distinct information that are part of it (IP, username, application ID, etc.)
Function and form
Other than having something “shiny”, you must take into account what you can do to have everything available for everyone and have it easy to read at any given time. Different logs provide different information and, as I mentioned before, this is something that can’t be decided without knowing your organisation’s assets. A good dashboard must provide all the information needed for understanding. Graphs and tables always go down well, but are they showing you the right information? A good SIEM dashboard should include the most important information from all the monitored systems, as well as a live feed.
Last up on our list are redundancy and scalability. These should be taken into consideration no matter the size and the state of an organisation. It might be only one system now, but in 5 months’ time, it might be 42. Be mindful of any upcoming changes to the requirements, such as compliance with a standard (e.g. PCI DSS). So as you can see, one size does not fit all. Information, budget, size, standards, scalability, redundancy must all be considered before the final decision on purchasing any SIEM solution is made. Without such thought you’ll be wasting money and, crucially, potentially undermining the effectiveness of your whole security operation.