This ensures your people and processes are ready to move to Step 2.
Step 2: simplify
Attempting to integrate SIEM with complex or contrived infrastructure will add time-consuming work and extra cost at each stage of the project.
So look for any opportunities to simplify your networks. Topologies may have changed significantly since your original deployment of firewalls, IDS, and other security products. Users may have relocated physically or migrated to new methods of accessing their applications and data. It may be possible to retire some of your security systems and consolidate networks and security policies associated because their functionality has now been added to other products.
To help with this, review the placement of security infrastructure in the light of the threats and vulnerabilities you catalogued in Step 1. Remove, redeploy, or reconfigure security products that serve little or no purpose in their current position. Take the opportunity to retire legacy access methods, and reduce the number of routes into your network. Again based on your work in stage 1, consider grouping high-value assets together in a high-security “green zone”.
One of the most powerful tools for adding simplicity to Default Deny – allowing users and applications to perform only specified tasks across networks and servers, and denying anything else. This means more elegant configuration, fewer events, and greater overall security. Server consolidation brings further management and cost benefits. Remember: keeping it simple maximises SIEM benefits.
Step 3: tune
In SIEM terms, tuning applies mainly to just one system: Network Intrusion Detection/Prevention, which generates more alerts than any other product. In essence, it means weeding out false positives. The strongest reason for tuning an IDS is this: if they have to report every event, the IDS may not keep up with the traffic and information will be lost.
The cost of your SIEM system is broadly proportional to the number of events per second it must handle and potentially store. And as we’ve gone a long way in Steps 1 and 2 toward streamlining infrastructure, tuning the IDS sensors in order to reduce the most obvious noise going into the SIEM can dramatically reduce the flow of spurious alerts.
One of the easiest IDS tuning activities takes advantage of the fact that you can logically group servers by OS, and so can tell the sensors to selectively ignore Windows attacks directed at UNIX machines and vice versa. This logical grouping does not necessarily mean moving systems and cables. Using a combination of intelligent port mirroring and tuned IDS you can opt to show a given sensor “just the UNIX traffic” and so obviate the need for running Windows signatures and their false alerts on that sensor or interface.
Another option is to screen alerts on Web servers, by qualifying signatures such as Python, PHP, Perl, .net and so on, in or out of the alert signature list.
Step 4: deploy
To ensure success, ensure the SIEM project is aligned with your business strategy, and consider what value the SIEM is supposed to deliver.
Also remember to deploy the solution in stages, with definable goals concluding each stage. One of the common reasons for failure is that the project tries to achieve too much, too fast – so proceed with care.