Step 3: tune
In SIEM terms, tuning applies mainly to just one system: Network Intrusion Detection/Prevention, which generates more alerts than any other product. In essence, it means weeding out false positives. The strongest reason for tuning an IDS is this: if they have to report every event, the IDS may not keep up with the traffic and information will be lost.
The cost of your SIEM system is broadly proportional to the number of events per second it must handle and potentially store. And as we’ve gone a long way in Steps 1 and 2 toward streamlining infrastructure, tuning the IDS sensors in order to reduce the most obvious noise going into the SIEM can dramatically reduce the flow of spurious alerts.
One of the easiest IDS tuning activities takes advantage of the fact that you can logically group servers by OS, and so can tell the sensors to selectively ignore Windows attacks directed at UNIX machines and vice versa. This logical grouping does not necessarily mean moving systems and cables. Using a combination of intelligent port mirroring and tuned IDS you can opt to show a given sensor “just the UNIX traffic” and so obviate the need for running Windows signatures and their false alerts on that sensor or interface.
Another option is to screen alerts on Web servers, by qualifying signatures such as Python, PHP, Perl, .net and so on, in or out of the alert signature list.
Step 4: deploy
To ensure success, ensure the SIEM project is aligned with your business strategy, and consider what value the SIEM is supposed to deliver.
Also remember to deploy the solution in stages, with definable goals concluding each stage. One of the common reasons for failure is that the project tries to achieve too much, too fast – so proceed with care.
SIEM should help you to free up the small, specialist security team from doing day-to-day investigations and device support work. It should enable you to meet compliance requirements for reporting, without large amounts of custom coding and scripting. And critically, it should cut the chances of a breach passing unnoticed, and shorten the clean-up period, reducing overall exposure to risk.
Remember, the ultimate SIEM goal is to help your existing teams to do more, be more reactive with their current resources and to enhance security. Now that’s well worth a little extra preparation.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.