SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Transcription

1 SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security

2 Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness and visibility into an organization s security infrastructure when operating at an efficient and optimal level. As a result of underutilization and installation of basic out-of-the-box installations, companies fall short of reaching the solution s full potential. SIEM Optimization addresses challenges with custom integration, configuration, and ongoing maintenance for organizations without the dedicated resources. This E-Book provides insights to SIEM Optimization best practices to resolving performance bottlenecks that many companies encounter and highlights strategic steps security teams can implement to respond faster to security incidents and requests.

3 Four Effective SIEM Optimization Steps To Enhancing Your Performance Step 1: Conduct A SIEM Health Check In recent studies, 44% of organizations reported that managing the general complexity of SIEM products is their number one challenge. The first struggle is the initial deployment where many companies install the solution with basic out-of-the-box configurations having the intentions to expand usage and functionality at a later date. But these intentions are overshadowed by the daily responsibilities of the IT Security team which limits the ability to optimize the solution over time. This section covers four effective steps you can apply to help you better utilize its capabilities, enhance its performance, and get the most return on your investment. Step 1: Conduct A SIEM Health Check Analyze and develop a detailed assessment of the current performance of your SIEM: Queries, Rules, Reports, and Other System components (operating system updates, patches, etc.) SIEM back-up and recovery process Implementation mapped to current business needs

4 Four Effective SIEM Optimization Steps Step 2: Integration Services Step 2: Integration Services Based on the Health Check results, analyze and ensure: All devices are pointing to the SIEM Cross-correlation capabilities are utilized properly to ensure intelligence development. All relevant data types are being sent (flowdata, syslog, WMI, etc.) Incoming data is parsed correctly PRIORITIZATION It s important for organizations to maintain an inventory of all their nodes. Grouping nodes into a structure physical location, network location, or risk level can assist in prioritization and can lead to faster reaction time when conducting an investigation.

5 Four Effective SIEM Optimization Steps Step 3: Content Development Organizations need to consider building content for multiple levels of technical knowledge. For instance, Managers are typically looking for high level abstracted data versus Engineers are looking for content with very detailed information. Designing formal processes for developing SIEM content to meet business requirements and for emergency content development to satisfy industry conditions (i.e. CSIRT) can allay future complex maintenance efforts. Step 3: Content Development Develop a platform to bridge the gap from your current state to a sustainable infrastructure: Build custom connectors Create queries, reports, and alerts Modify filter/rules to eliminate false positives

6 Four Effective SIEM Optimization Steps Step 4: Education and Training Step 4: Education and Training Develop training to educate your security team and other employees on proper procedures and processes. Creating a security education program builds organization-wide awareness of your company s overall security goal and the necessary steps to achieve and maintain it. Create a lessons learned feedback loop to allow processes that involve the SIEM to be improved based on the incident handling process to grow ongoing training efforts.

7 Top 10 Reports Every Security Analyst Should Review Daily Top 10 Reports Every Security Analyst Should Review Daily There are literally hundreds of metrics and measurements that can indicate a potential information security incident. However, there are eleven absolutely critical reports that can most quickly help security analysts determine whether systems have been breached, users are behaving consistently with security policy, and data has been compromised. The 10 critical reports that every security analyst should review daily include: Alerts Triggered Failed Events Events by Hour and Type Account Activity The ability to alert appropriate personnel when abnormalities are detected is a key difference between log management tools, and a true SIEM platform. Knowing which alerts were triggered across the enterprise is a critical piece of information required to prioritize security analysis. Events and transactions can fail for a variety of reasons: performance or capacity issues, access control violations, and others. Knowing which events in your environment failed including the category, such as failed logons, as well as the critical level such as warning or information is vital information to tracking down the root cause of security related issues. It s important for your team to identify constants for thresholds to conduct further comparisons overtime. Reviewing events by hour and type is necessary to identify any anomalies or possible vulnerabilities. This report gives analysts visibility and insights into the type of data that is being collected, abnormalities within your data. An example would be a random surge in traffic outside of what your team considers a normal range. Creating or modifying accounts is one of the most common attack vectors used by both malware and directed attackers. Understanding when new accounts are created or existing account privileges or attributes are modified is key to understanding potential attacks.

8 Top 10 Reports Every Security Analyst Should Review Daily Continued Vulnerabilities Discovered Attacks by Source and Destination Information on known vulnerabilities across the enterprise, collected from major vulnerability scanning tools, is one of the most critical pieces of information a SIEM can provide. Correlating vulnerabilities with other activity is one of the most effective ways to combat external threats. Security technology such as intrusion detection and prevention (IDS/IPS) provide a SIEM with vital data regarding known attack patterns from outside the network. VPN Activity Network Traffic Analysis (from Netflow data) Activity by User Database Activity Virtual private networks (VPNs) and other remote access technologies are a prime target for exploitation by attackers, since by their very nature they allow trusted connectivity from outside the network. Not all information security threats can be detected with logs or other event-based information. Analyzing and reporting on network traffic patterns, such as traffic on abnormal ports, protocols and networks, is critical to determining whether threats from outside the network have been realized. Not all threats originate from the outside. Tracking activity associated with suspicious or highprivileged users provides security analysts with important information about potential rogue insiders. In most organizations, structured data in Oracle and Microsoft SQL Server relational databases represent the vast majority of business knowledge, and monitoring both access and activity from their logs provides valuable security intelligence. Are You Getting the Most Out of Your SIEM?

9 10 Quick SIEM Vital Signs to Measure for a Check Up: How Healthy Is Your SIEM? #1. Review appliance CPU, memory, and disk performance. #4: Review Network and Asset Models to ensure events are being prioritized correctly. #2: Make sure all assets are reporting and remove old decommissioned assets. #5: Analyze overall architecture and failover capabilities of the system. #3: Make sure the data you are importing is relevant and not just taking up space. #6: Evaluate all data and configuration backups. #7: Assess Use Cases to ensure you are getting visibility into all areas of the network and applications. #8: Evaluate and optimizes Rules, Channels, Filters, and other content to ensure reports and queries are running as fast as possible. #9: Examine all connector logs to ensure everything is reporting that you think should be and are not throwing errors. #10: Review storage groups and rules to ensure the logs are being stored according to compliance rules.

10 Performance Bottlenecks to Avoid 3 Performance Bottlenecks to Avoid to maintain the efficiency and optimal performance of your SIEM. 1. Overloading individual collectors with too many reporting devices and hosts. Having too many reporting devices and hosts can have a direct impact on processing performance and collection reliability. 2. Queries, Filters, and other content that is not optimized correctly Queries, Filters and other content that have not been customized to fit the organization s environment and can restrict the ability of finding and identifying the information you re looking for. Not fitting your current criteria can create white noise or lack of visibility. 3. Incorrect architecture and configuration of SIEM components This gap can lead to performance issues, scalability issues, and collection failures.

11 ReliaQuest SIEM Optimization Professional Services ReliaQuest s SIEM Optimization services assess and analyze the operating level of your SIEM and develop the content to reach optimal level for business functions. We customize your SIEM platform at any deployment level to eliminate the false positives and provide intelligent and actionable information. RQ SIEM Optimization services are custom-built and scalable based on your organization s priorities, industry benchmarks, and compliance drivers. ReliaQuest engineers work alongside your security team throughout the full cycle of the assessment and development processes allowing for your team to develop more in-depth knowledge of the ongoing monitoring and any ongoing needs. We Optimize the following SIEMs: ArcSight Qradar Splunk AlienVault Tripwire TrustWave LogRhythm LogLogic NitroView RSA Envision SolarWinds LEM Tenable LCE McAfee ESM SecureVue RQuality Assurance RQ Labs is continuously comparing, testing, and evaluating SIEM technologies in the market against the latest security threats and compliance drivers. Our inhouse development team supports our Engineers remote and onsite. Certified Information Security Professionals All ReliaQuest Engineers possess industry certifications: CISSP, CISM, CISA, CEH, etc. For more information visit our SIEM Services & Solutions Page A simple 15-minute conversation will allow team to understand your current environment and possible next steps.