SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security



Similar documents
SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

QRadar SIEM and FireEye MPS Integration

QRadar SIEM and Zscaler Nanolog Streaming Service

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Security Operations Metrics Definitions for Management and Operations Teams

Clavister InSight TM. Protecting Values

End-user Security Analytics Strengthens Protection with ArcSight

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

High End Information Security Services

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Bridging the gap between COTS tool alerting and raw data analysis

THE TOP 4 CONTROLS.

The SIEM Evaluator s Guide

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

How To Manage Security On A Networked Computer System

Extreme Networks Security Analytics G2 Vulnerability Manager

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.

Scalability in Log Management

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

IBM Security QRadar Vulnerability Manager

Continuous Network Monitoring

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Vulnerability Management

IBM Security IBM Corporation IBM Corporation

IBM Security Intelligence Strategy

IBM QRadar Security Intelligence Platform appliances

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

Cisco Advanced Services for Network Security

How To Create Situational Awareness

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Remote Services. Managing Open Systems with Remote Services

QRadar SIEM 6.3 Datasheet

RSA Security Analytics

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

How To Buy Nitro Security

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Network Monitoring Comparison

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

Metric Matters. Dain Perkins, CISSP

IBM Security QRadar QFlow Collector appliances for security intelligence

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

Spyders Managed Security Services

Server & Application Monitor

IBM SECURITY QRADAR INCIDENT FORENSICS

Ecom Infotech. Page 1 of 6

FIVE PRACTICAL STEPS

Trend Micro. Advanced Security Built for the Cloud

QRadar Security Management Appliances

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

FISMA / NIST REVISION 3 COMPLIANCE

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Security Information and

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Netzwerkvirtualisierung? Aber mit Sicherheit!

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Intrusion Detection in AlienVault

Magic Quadrant for Security Information and Event Management

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

What s New in Security Analytics Be the Hunter.. Not the Hunted

North American Electric Reliability Corporation (NERC) Cyber Security Standard

SolarWinds Certified Professional. Exam Preparation Guide

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Managed Security Services for Data

Top 3 Issues and Questions (in Network Monitoring!) Developing a Network Monitoring Architecture! infotex. Dan Hadaway CRISC Managing Partner, infotex

Redefining SIEM to Real Time Security Intelligence

How To Manage Log Management

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Network Security Monitoring: Looking Beyond the Network

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Log Management and SIEM Evaluation Checklist

Security Management. Keeping the IT Security Administrator Busy

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

Transcription:

SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security

Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness and visibility into an organization s security infrastructure when operating at an efficient and optimal level. As a result of underutilization and installation of basic out-of-the-box installations, companies fall short of reaching the solution s full potential. SIEM Optimization addresses challenges with custom integration, configuration, and ongoing maintenance for organizations without the dedicated resources. This E-Book provides insights to SIEM Optimization best practices to resolving performance bottlenecks that many companies encounter and highlights strategic steps security teams can implement to respond faster to security incidents and requests.

Four Effective SIEM Optimization Steps To Enhancing Your Performance Step 1: Conduct A SIEM Health Check In recent studies, 44% of organizations reported that managing the general complexity of SIEM products is their number one challenge. The first struggle is the initial deployment where many companies install the solution with basic out-of-the-box configurations having the intentions to expand usage and functionality at a later date. But these intentions are overshadowed by the daily responsibilities of the IT Security team which limits the ability to optimize the solution over time. This section covers four effective steps you can apply to help you better utilize its capabilities, enhance its performance, and get the most return on your investment. Step 1: Conduct A SIEM Health Check Analyze and develop a detailed assessment of the current performance of your SIEM: Queries, Rules, Reports, and Other System components (operating system updates, patches, etc.) SIEM back-up and recovery process Implementation mapped to current business needs

Four Effective SIEM Optimization Steps Step 2: Integration Services Step 2: Integration Services Based on the Health Check results, analyze and ensure: All devices are pointing to the SIEM Cross-correlation capabilities are utilized properly to ensure intelligence development. All relevant data types are being sent (flowdata, syslog, WMI, etc.) Incoming data is parsed correctly PRIORITIZATION It s important for organizations to maintain an inventory of all their nodes. Grouping nodes into a structure physical location, network location, or risk level can assist in prioritization and can lead to faster reaction time when conducting an investigation.

Four Effective SIEM Optimization Steps Step 3: Content Development Organizations need to consider building content for multiple levels of technical knowledge. For instance, Managers are typically looking for high level abstracted data versus Engineers are looking for content with very detailed information. Designing formal processes for developing SIEM content to meet business requirements and for emergency content development to satisfy industry conditions (i.e. CSIRT) can allay future complex maintenance efforts. Step 3: Content Development Develop a platform to bridge the gap from your current state to a sustainable infrastructure: Build custom connectors Create queries, reports, and alerts Modify filter/rules to eliminate false positives

Four Effective SIEM Optimization Steps Step 4: Education and Training Step 4: Education and Training Develop training to educate your security team and other employees on proper procedures and processes. Creating a security education program builds organization-wide awareness of your company s overall security goal and the necessary steps to achieve and maintain it. Create a lessons learned feedback loop to allow processes that involve the SIEM to be improved based on the incident handling process to grow ongoing training efforts.

Top 10 Reports Every Security Analyst Should Review Daily Top 10 Reports Every Security Analyst Should Review Daily There are literally hundreds of metrics and measurements that can indicate a potential information security incident. However, there are eleven absolutely critical reports that can most quickly help security analysts determine whether systems have been breached, users are behaving consistently with security policy, and data has been compromised. The 10 critical reports that every security analyst should review daily include: Alerts Triggered Failed Events Events by Hour and Type Account Activity The ability to alert appropriate personnel when abnormalities are detected is a key difference between log management tools, and a true SIEM platform. Knowing which alerts were triggered across the enterprise is a critical piece of information required to prioritize security analysis. Events and transactions can fail for a variety of reasons: performance or capacity issues, access control violations, and others. Knowing which events in your environment failed including the category, such as failed logons, as well as the critical level such as warning or information is vital information to tracking down the root cause of security related issues. It s important for your team to identify constants for thresholds to conduct further comparisons overtime. Reviewing events by hour and type is necessary to identify any anomalies or possible vulnerabilities. This report gives analysts visibility and insights into the type of data that is being collected, abnormalities within your data. An example would be a random surge in traffic outside of what your team considers a normal range. Creating or modifying accounts is one of the most common attack vectors used by both malware and directed attackers. Understanding when new accounts are created or existing account privileges or attributes are modified is key to understanding potential attacks.

Top 10 Reports Every Security Analyst Should Review Daily Continued Vulnerabilities Discovered Attacks by Source and Destination Information on known vulnerabilities across the enterprise, collected from major vulnerability scanning tools, is one of the most critical pieces of information a SIEM can provide. Correlating vulnerabilities with other activity is one of the most effective ways to combat external threats. Security technology such as intrusion detection and prevention (IDS/IPS) provide a SIEM with vital data regarding known attack patterns from outside the network. VPN Activity Network Traffic Analysis (from Netflow data) Activity by User Database Activity Virtual private networks (VPNs) and other remote access technologies are a prime target for exploitation by attackers, since by their very nature they allow trusted connectivity from outside the network. Not all information security threats can be detected with logs or other event-based information. Analyzing and reporting on network traffic patterns, such as traffic on abnormal ports, protocols and networks, is critical to determining whether threats from outside the network have been realized. Not all threats originate from the outside. Tracking activity associated with suspicious or highprivileged users provides security analysts with important information about potential rogue insiders. In most organizations, structured data in Oracle and Microsoft SQL Server relational databases represent the vast majority of business knowledge, and monitoring both access and activity from their logs provides valuable security intelligence. Are You Getting the Most Out of Your SIEM?

10 Quick SIEM Vital Signs to Measure for a Check Up: How Healthy Is Your SIEM? #1. Review appliance CPU, memory, and disk performance. #4: Review Network and Asset Models to ensure events are being prioritized correctly. #2: Make sure all assets are reporting and remove old decommissioned assets. #5: Analyze overall architecture and failover capabilities of the system. #3: Make sure the data you are importing is relevant and not just taking up space. #6: Evaluate all data and configuration backups. #7: Assess Use Cases to ensure you are getting visibility into all areas of the network and applications. #8: Evaluate and optimizes Rules, Channels, Filters, and other content to ensure reports and queries are running as fast as possible. #9: Examine all connector logs to ensure everything is reporting that you think should be and are not throwing errors. #10: Review storage groups and rules to ensure the logs are being stored according to compliance rules.

Performance Bottlenecks to Avoid 3 Performance Bottlenecks to Avoid to maintain the efficiency and optimal performance of your SIEM. 1. Overloading individual collectors with too many reporting devices and hosts. Having too many reporting devices and hosts can have a direct impact on processing performance and collection reliability. 2. Queries, Filters, and other content that is not optimized correctly Queries, Filters and other content that have not been customized to fit the organization s environment and can restrict the ability of finding and identifying the information you re looking for. Not fitting your current criteria can create white noise or lack of visibility. 3. Incorrect architecture and configuration of SIEM components This gap can lead to performance issues, scalability issues, and collection failures.

ReliaQuest SIEM Optimization Professional Services ReliaQuest s SIEM Optimization services assess and analyze the operating level of your SIEM and develop the content to reach optimal level for business functions. We customize your SIEM platform at any deployment level to eliminate the false positives and provide intelligent and actionable information. RQ SIEM Optimization services are custom-built and scalable based on your organization s priorities, industry benchmarks, and compliance drivers. ReliaQuest engineers work alongside your security team throughout the full cycle of the assessment and development processes allowing for your team to develop more in-depth knowledge of the ongoing monitoring and any ongoing needs. We Optimize the following SIEMs: ArcSight Qradar Splunk AlienVault Tripwire TrustWave LogRhythm LogLogic NitroView RSA Envision SolarWinds LEM Tenable LCE McAfee ESM SecureVue RQuality Assurance RQ Labs is continuously comparing, testing, and evaluating SIEM technologies in the market against the latest security threats and compliance drivers. Our inhouse development team supports our Engineers remote and onsite. Certified Information Security Professionals All ReliaQuest Engineers possess industry certifications: CISSP, CISM, CISA, CEH, etc. For more information visit our SIEM Services & Solutions Page 1.800.925.2159 A simple 15-minute conversation will allow team to understand your current environment and possible next steps.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information