Securing the SIEM system: Control access, prioritize availability

Similar documents
Hybrid cloud computing explained

E-Guide HOW THE VMWARE SOFTWARE DEFINED DATA CENTER WORKS: AN IAAS EXAMPLE

Hyper-V 3.0: Creating new virtual data center design options Top four methods for deployment

E-Guide NETWORKING MONITORING BEST PRACTICES: SETTING A NETWORK PERFORMANCE BASELINE

E-Guide CLOUD COMPUTING FACTS MAY UNCLENCH SERVER HUGGERS HOLD

Benefits of virtualizing your network

E-Guide MANAGING AND MONITORING HYBRID CLOUD RESOURCE POOLS: 3 STEPS TO ENSURE OPTIMUM APPLICATION PERFORMANCE

3 common cloud challenges eradicated with hybrid cloud

Solution Spotlight BEST PRACTICES FOR DEVELOPING MOBILE CLOUD APPS REVEALED

Is Your Data Safe in the Cloud?

How to Define SIEM Strategy, Management and Success in the Enterprise

HOW TO SELECT THE BEST SOLID- STATE STORAGE ARRAY FOR YOUR ENVIRONMENT

The skinny on storage clusters

E-Guide WHAT IT MANAGERS NEED TO KNOW ABOUT RISKY FILE-SHARING

E-Guide UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES

Software Defined Networking Goes Well Beyond the Data Center

E-Guide CONSIDERATIONS FOR EFFECTIVE SOFTWARE LICENSE MANAGEMENT

Preparing for the cloud: Understanding the infrastructure impacts Eight essential tips for a successful cloud migration

Best Practices for Database Security

HOW MICROSOFT AZURE AD USERS CAN EMPLOY SSO

Evaluating SaaS vs. on premise for ERP systems

BUYING PROCESS FOR ALL-FLASH SOLID-STATE STORAGE ARRAYS

E-Guide SIX ENTERPRISE CLOUD STORAGE AND FILE-SHARING SERVICES TO CONSIDER

Managing the supply chain for SAP

Managing Data Center Growth Explore Your Options

Exchange Server 2010 backup and recovery tips and tricks

5 ways to leverage the free VMware hypervisor Key tips for working around the VMware cost barrier

5 free Exchange add-ons you should consider Eliminating administration pain points on a budget

Order Management System Best Practices

Expert guide to achieving data center efficiency How to build an optimal data center cooling system

Supply Chain Management Tips and Best Practices

E-Guide THE LATEST IN SAN AND NAS STORAGE TRENDS

Essentials Guide CONSIDERATIONS FOR SELECTING ALL-FLASH STORAGE ARRAYS

Key Trends in the Identity and Access Management Market and How CA IAM R12 Suite Addresses These Trends

Skills shortage, training present pitfalls for big data analytics

How To Protect Your Online Backup From Being Hacked

Virtualization backup tools: How the field stacks up

7 remote office backup options: Which is right for you?

GUIDELINES FOR EVALUATING PROCUREMENT SOFTWARE

Solution Spotlight KEY OPPORTUNITIES AND PITFALLS ON THE ROAD TO CONTINUOUS DELIVERY

Social media driving CRM strategies

MDM features vs. native mobile security

WHAT S INSIDE NEW HYPER- CONVERGED SYSTEMS

Advantages on Green Cloud Computing

BEST PRACTICES FOR MANAGING THE EVOLUTION OF EHRS

Obtaining Enterprise Cybersituational

The state of cloud adoption in India The use cases, industry trends, business demands, and user expectations driving cloud adoption in Indian

Cloud Security Certification Guide What certification is right for you?

LTO tape technology continues to evolve with LTO 5

Moving to the Cloud: A guide for Southeast Asian IT and Business Managers

Annex 9: Technical proposal template. Table of contents

Security in Space: Intelsat Information Assurance

Getting Started With Cloud Storage

Transcription:

The prospect of a SIEM system crash or compromise should scare any enterprise given the role it plays in an organization s security infrastructure. This expert E-Guide discusses the implications of a compromised SIEM system and explores defenses available for managers looking to secure it. prioritize availability Given the role a properly implemented, managed and utilized security information and event management (SIEM) system plays in an organization's security infrastructure environment, it s clear that compromising SIEM activities could be a successful strategy for an attacker looking to avoid detection or undermine management of the environment's security. What are the potential implications of a compromised SIEM system, and what defenses are available for enterprises looking to secure their SIEM systems? Those are questions we'll seek to answer in this tip. Treat the SIEM system as a high-priority enterprise resource It should be recognized that while a SIEM system is the infrastructure's nerve center from a security operations point of view, it is also one of many systems within the managed enterprise environment. For this reason, the SIEM should be polled regularly to ensure it is running and fully operational. Part of the SIEM deployment plan should be to ensure the SIEM system is identified as a critical system in the enterprise landscape, and the hardware and software systems on which it runs are configured and managed as highrisk areas. It is also necessary to consider the SIEM system's resilience. Future SIEM system designs will focus on attributes like adaptive routing to ensure that if one path for security event delivery cannot be traversed, another path is Page 2 of 5

followed, and out-of-band signaling to the central node, where alternative communication channels may be used. Practical steps for achieving SIEM system security today While these next-generation SIEM protections will be incorporated into future SIEM system products, a lot can be done now to ensure SIEM security. By ensuring a typical security review approach is applied to the SIEM system itself, the security event-collection process can be implemented effectively: From an authentication and access control point of view, SIEM system access should be carefully set up and managed. Integration with the enterprise's LDAP directory services could be a way to ensure the SIEM system is seen not as an island, but rather as part of the managed environment. Access to the system should be limited, and privileged access in particular should be carefully controlled, possibly within a "separation of duties" type of approach whereby no single individual or administrator is able to act in isolation. The confidentiality and integrity of the security information must be considered, specifically with respect to how information travels between the collection agents/aggregation points and the central management node. Where information is stored -- for example, a database at the central node -- confidentiality needs to be considered. Privacy could also be an issue to consider, depending upon where and how security events are being used. In some instances, anonymization is applied to security events so general trends can be determined -- especially if conducted off-site or across multiple clients -- with only limited scope to reverse this to reconstruct the actual event, under the control and policies of the organization. Nonrepudiation could be considered to ensure actors, authorized or otherwise, cannot repudiate event evidence of particular actions. How SIEM events are stored, both centrally and in the originating systems, needs to be considered to ensure sufficient evidence can be gathered. Finally, the availability of a system is considered a security issue, and this is no less of an issue for a SIEM system. It has been indicated that Page 3 of 5

future SIEM products will have self-healing, adaptive-type capabilities from an architectural perspective. In the interim, the disaster recovery aspects of a business should ensure the SIEM system is also implemented on a high-availability type infrastructure and that, along with recovery of other mission-critical systems, the SIEM is prioritized to ensure orderly monitoring and insight. After all, depending on what has caused an outage or disaster, having the security systems running first could be most important, ensuring any unexpected patterns, alerts, events or incidents are visible, that they can be investigated, and that responses can be deployed. Through careful deployment, the security of SIEM systems can be enhanced. While it will take more time to create architectures that increase the resilience of SIEM products, treating them as high-availability, critical systems within the overall management landscape can be done immediately. About the author: Andrew Hutchison is an information security specialist with T-Systems International in South Africa. An information security practitioner with 20 years of technical and business experience, his technical security work has included secure system development, security protocol design and analysis, and intrusion detection and network security solutions. He has held executive responsibility for information security in a large enterprise, establishing its chief security officer role and initiating an ISO27001 security certification program. As business sponsor for large SIEM rollouts, he has experience in deploying and operating SIEM systems in a managed service provider environment. He is an adjunct professor of computer science at the University of Cape Town in South Africa. Page 4 of 5

Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information