Security Information and Event Management (SIEM) Implementation

Posted on by Ben Rothke

With many different types of log and audit data, Security Information and Event Management (SIEM) attempts to fix that by aggregating, correlating and normalizing the log and audit data.  The end result is a single screen that presents all of the disparate data into a common element.  While great in theory, the devil is in the details; and there are plenty of details in deploying a SIEM on corporate networks.  

Security Information and Event Management Implementation provides a solid introduction, overview and analysis of what a SIEM (also known as SIM, SEM, SEIM and others) is, and what needs to go into it for an effective deployment and operation. 

As a technology, SIEM provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more.  Many firms have deployed SIEM as a method to address regulatory compliance reporting requirements, in addition to using it as a mechanism in which to build a robust information security operation, integrating the SIEM into their security management and incident response areas. 

With that, the good news is that the SIEM market is now at a mature state, with numerous vendors competing off each other.  Combined with the level of SIEM adoption, it’s ready for prime time.  But ensuring it works in prime time is heavily dependent upon the requirements definitions and planning. 

The books 15 chapters are organized in three parts: Introduction to SIEM: Threat Intelligence for IT Systems, IT Threat Intelligence Using SIEM Systems and SIEM Tools. Part 3 (chapters 8-15) provides the bulk of the reading. 

Part 1 provides a high-level overview of the topic and covers information security fundamentals. Chapter 2 details the various threats that the SIEM will be used to defend against.  While chapter 3 gets into regulatory compliance, which is a key driver for many SIEM rollouts. 

Part 2 details four SIEM vendors.  The products the authors selected to showcase are: OSSIM, ArcSight ESM, Cisco Mars and Ounce Labs QRadar.  While it is debatable if OSSIM is a SIEM, I am not sure why the authors did not include the netForensics product.  This is especially true since thenFX SIM One software is one of the better tools which works on large deployments in which customization is needed. 

A mistake many firms makes when considering a SIEM is spending too much time selecting a specific SIEM vendor and not enough time defining their specific security requirements for the SIEM product.  The book does a good job of communicating the important of effective requirements definition.  An important notion around requirements definition is that it must not involve just IT and security groups alone.  Other groups including audit, regulatory, legal, administration, applications and more must be involved. 

The book provides examples of real-world advice.  A good point made in chapter 11 is the need to realize that a SIEM takes time to develop and is an out of the box solution.  The authors note that one should not expect full inventory activity and actionable information immediately.  It often may take a few weeks for that information to be normalized into data that is actionable. 

Part 3 goes into the various products.  In chapter 12, while about QRadar, lists 10 highly detailed questions that must be answered irrregardless of what SIEM vendor will be used.  These 10 questions (for a formal SIEM definition, there are a good 30 or more that can be asked) require a firm to truly understand their infrastructure and environment, before they deploy a SIEM.  The authors note that these questions are meant to facilitate a firm doing their homeworkaround the SIEM.  Detailed answers to these questions should not be underestimated, as failure to do them in advance can lead to a SIEM deployment that will ultimately fail.

For many readers, the screen print of a QRadar system settings console on page 278 may be enough to scare them away from a SIEM.  This screen, of which there are many in QRadar, list over 50 settings that must be configured in order to effectively use the software.  While many of the default settings can be used; firms should know exactly what their settings should be if they want to get the most out of SIEM solution.

In many books, the appendix is often public information which is simply added as filler to increase the page count.  The appendix The Ways and Means of the Security Analyst is superb.  It details the human element of the SIEM, the security analyst, which is often what will make or break the SIEM. The analyst is the one who will use the SIEM and attempt to make sense of it.  A SIEM deployment without good analysts is ultimately useless.

It should be noted that even though the book has the term implementation in the title, it is not really a full implementation reference.  It should be viewed as a comprehensive introduction to SIEM.  The reason is that when one digs into the deeper layers of a SIEM deployment, there are significant complexities that must be dealt with.  Anyone who attempts to deploy SIEM based on this guide alone will likely be disappointed.  This is not a fault of the book; rather a reality of the complexity of a SIEM, and the amount of pages it requires to be written.  

While the book does have implementation guidelines around the insulation and configuration of 4 SIEM products, the real challenge in a SIEM is the post-installation configuration issues, and not simply the installation.  Perhaps the authors will take this as a challenge to create a second volume of this book detailing those issues. 

With that, the book does provide an excellent overview of the topic and will be of value to those reading looking for answer around SIEM.  Those looking for a solid introduction to the world of SIEM should definitely get a copy.  Don’t think about a SIEM without it.

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs