What your SIEM vendor will not tell you

Transcription

1 WHITEPAPER What your SIEM vendor will not tell you Understand the nitty-gritties behind an SIEM implementation and get prepared to ask the right questions and be ready with most important pre-requisites for an effective implementation. By Hariharan Madhavan GAVS Security Operations Centre

2 Contents Introduction 3 Pre-implementation readiness 3 Questions to ask your SIEM vendor 4 Conclusion 4 2

3 Introduction So you did a HIPAA/PCI GAP assessment and your consultant told you about the need to comply with centralized logging and monitoring requirement (HIPAA (a)(1), (a)(5), (a)(6), (b), PCI Requirement 10[1]) and suggested an SIEM deployment. Now, these questions fire up: which product, what price, who can monitor, how to set this up, what devices to include, what is important to include, determining events per second, retention timeframe, hardware sizing, and more. While there are sufficient resources online to help you answer these questions, there is an extent of internal readiness required before you should even kick-start an SIEM implementation. This paper is set to throw light on what those important components are and why you should be ready. Pre-implementation readiness Readiness Ensure that time is synced across all your log-generating devices with precision. If you plan to have collectors across different time zones, ensure that the SIEM product has provision to normalize time before it is stored in its log database. Ensure that you have basic level of hardening done across devices. Consider running malware scans on all systems which have produced huge number of antivirus event logs and network botnet hits. These systems are the noisiest ones. If a system cannot be treated in the first place, consider reimaging it completely. If you feel user awareness is lacking, consider providing targeted training to users with high levels of out-of-ordinary usage (you get the idea). Enforce your acceptable usage policy if you feel there is no result even after the training. Consider compatibility with existing log analytics systems. Know your applicable SIEM use cases. Use cases are the typical types of offences you intend to catch with your SIEM. Reason Investigating incidents is very tedious if time is not consistent and correlation is not possible due to sequence of event missing. Normalizing time to HQ time is necessary for the above reason. Generally devices with less hardening produce more noise in the network than devices that are well hardened. These systems create a lot of noise, resulting in huge increase in the log events created. The lesser the EPS, the better would be the performance of the SIEM. The root cause can be a highly-infected system or a very careless user. Users with very little awareness are the weakest link in the human chain. Even the best SIEM cannot protect you if your users lack basic information security awareness. Most analytics systems that currently ingest logs and produce insight cannot coexist with SIEM. You need to decide whether it is okay to do away or determine the ability to obtain similar analytics report from SIEM. If you are not setting up custom use cases, you will only be using your SIEM to store logs and its functionality will be limited to that of an IPS based on its built-in signatures. 3

4 Questions to ask your SIEM vendor Licensing: Most SIEM vendors size the hardware and the license based on events per second and retention required. It is important to size the requirement not only based on today s volume but also by projecting a reasonable growth for the next two years. While it is good to size it really high from an operational perspective, it will make you pay more at the same time, you use your common sense as well, since vendors will always push for a higher EPS (Earnings Per Share) calculation. Supported log formats and products: Ensure that all your critical devices such as firewall, antivirus, VPN Gateway, IPS, load balancer, web application firewall (WAF), and anti-spam that monitor your security perimeter is covered and their log formats are fully supported by the SIEM product. When in doubt, ask for a pilot or demo. Retention of logs is very important. Ensure that you are both able to retain logs online for a reasonable period such as 90 days, and store it beyond as per your organization s retention policy. You need to export logs out of the box for this purpose. Ensure that this is allowed and you are able to export in a non-proprietary format (just in case). Do your homework: Compare similar products in the price range and understand what is included and what is not in detail, ask your managed services partner such as GAVS when in doubt. Management and monitoring: SIEM is a niche space and your internal IT may not be equipped for handling both the optimization and specialized monitoring skills. Either plan to get your internal team to be trained or get in touch with a managed service provider like GAVS to help you get a smooth experience right from product selection to implementation, tuning, and 24/7 monitoring from our security operations centre. Conclusion With the current trends involving security breach disclosures from big banners, it has become evident that security investments are not fully effective in countermeasures against powerful threat actors. Choosing the right products and the right partners is a sine qua non to stay in business. Feel free to reach out to us with respect to any of your existing or proposed plan to implement security analytics solutions, and we will do our best to assist you as a trusted partner in information security. References: PCI DSS Standard V 3.1 retrieved 29th August 2015 from PCI Security Standards Council, HIPAA Administrative safeguards retrieved on 2nd September 2015 from the U.S. Department of Health and Human Services, HIPAA Technical safeguards retrieved on 2nd September 2015 from the U.S. Department of Health and Human Services, GAVS Technologies. All rights reserved. 4

5 Author Profile Hari is an ethical hacker, CISA (Certified Information Systems Auditor) and CISM (Certified Information Systems Manager). He has around 9+ years of experience in defensive and offensive security background in Banking and IT. He is currently being consulted by GAVS clients to improve their security governance and compliance. 5

6 About GAVS GAVS Technologies (GAVS) is a global IT services & solutions provider for customers across multiple industry take advantage of futuristic technologies like Cloud, IoT, Managed Infrastructure Services, and Security services. GAVS has been recognized as an emerging player in the Healthcare Provider IT outsourcing sector by Everest Group, and as a prominent India-based Remote Infrastructure Management player by Gartner. USA GAVS Technologies N.A., Inc W 120th Avenue, Suite 110, Tel: Fax: GAVS Technologies N.A., Inc 116 Village Blvd, Suite 200, Princeton. New Jersey 08540, USA. Tel: /7 Fax: UK GAVS Technologies (Europe) Ltd Hillswood Drive, Hillswood Business Park, Chertsey KT16 ORS, United Kingdom Tel: + 44 (0) INDIA GAVS Technologies Pvt. Ltd. No.11, Old Mahabalipuram Road, Sholinganallur, Chennai, India Tel: Middle East GAVS Technologies LLC Knowledge Oasis, Muscat, Rusayl, Sultanate of Oman Tel: GAVS Technologies Thuraiya Tower 1 Dubai Internet City Dubai, UAE Tel: [email protected] 2015 GAVS Technologies. All rights reserved.