What your SIEM vendor will not tell you



Similar documents
Building Business Continuity and Enabling Smart Disaster Recovery with Azure Site Recovery (ASR) WHITEPAPER. By Pawan Kumar Dontula

MongoDB and Python. Key Ingredients for a Perfect Big Data Recipe WHITEPAPER. Firoz Mohamed Kasim, PMP

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

AlienVault for Regulatory Compliance

Client Security Risk Assessment Questionnaire

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Norton Mobile Privacy Notice

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Security Information & Event Management (SIEM)

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Securing the Service Desk in the Cloud

Dr. Konstantinos Ap. Eleftherianos Dr. Konstantinos Papapanagiotou. ISACA Athens Chapter Conference Athens 4/11/2013

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault. Best Practices Whitepaper June 18, 2014

IT Security. Securing Your Business Investments

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

Big Data, Big Risk, Big Rewards. Hussein Syed

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

MANAGED SECURITY SERVICES (MSS)

BMC s Security Strategy for ITSM in the SaaS Environment

IT Security Strategy and Priorities. Stefan Lager CTO Services

SECURITY CONSIDERATIONS FOR LAW FIRMS

INCIDENT RESPONSE CHECKLIST

VMware vcloud Air Security TECHNICAL WHITE PAPER

APPLICATION PROGRAMMING INTERFACE

End-user Security Analytics Strengthens Protection with ArcSight

Simplifying Branch Office Security

Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

High End Information Security Services

Guided HIPAA Compliance

NEC Managed Security Services

Current IBAT Endorsed Services

Extreme Networks Security Analytics G2 Vulnerability Manager

Reduced 30% of IT infrastructure & operations costs by automating infrastructure monitoring for a global wireless distributor

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

McAfee Security Architectures for the Public Sector

SOC & HIPAA Compliance

Application Security Best Practices. Matt Tavis Principal Solutions Architect

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Clavister InSight TM. Protecting Values

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

MANAGEMENT SOLUTIONS SAFEGUARD BUSINESS CONTINUITY AND PRODUCTIVITY WITH MIMECAST

Cisco Security Intelligence Operations

Security for NG9-1-1 SYSTEMS

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Endpoint web control overview guide. Sophos Web Appliance Sophos Enterprise Console Sophos Endpoint Security and Control

Evaluating, choosing and implementing a SIEM solution. Dan Han, Virginia Commonwealth University

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

Staying Ahead of the Hacker Curve Turn-key Web Application Security Solution

Big Data: trends and governance

Event Log Monitoring and the PCI DSS

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Enterprise Risk Management taking on new dimensions

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Performanta Pty Ltd. Company Profile. May Trust. Practical. Performanta.

Cloud Security: Getting It Right

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

How To Buy Nitro Security

CONTENTS. PCI DSS Compliance Guide

Achieving PCI-Compliance through Cyberoam

Achieving Compliance with the PCI Data Security Standard

Val-EdTM. Valiant Technologies Education & Training Services. 2-day Workshop on Business Continuity & Disaster Recovery Planning

Eoin Thornton Senior Security Architect Zinopy Security Ltd.

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Security Operations Metrics Definitions for Management and Operations Teams

10 Things Every Web Application Firewall Should Provide Share this ebook

The Next Generation Security Operations Center

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

COUNTERSNIPE

MANAGED SECURITY SERVICES (MSS)

Protecting What Matters Most. Bartosz Kryński Senior Consultant, Clico

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Transcription:

WHITEPAPER What your SIEM vendor will not tell you Understand the nitty-gritties behind an SIEM implementation and get prepared to ask the right questions and be ready with most important pre-requisites for an effective implementation. By Hariharan Madhavan GAVS Security Operations Centre

Contents Introduction 3 Pre-implementation readiness 3 Questions to ask your SIEM vendor 4 Conclusion 4 2

Introduction So you did a HIPAA/PCI GAP assessment and your consultant told you about the need to comply with centralized logging and monitoring requirement (HIPAA - 164.308(a)(1), 164.308(a)(5), 164.308(a)(6), 164.312(b), PCI Requirement 10[1]) and suggested an SIEM deployment. Now, these questions fire up: which product, what price, who can monitor, how to set this up, what devices to include, what is important to include, determining events per second, retention timeframe, hardware sizing, and more. While there are sufficient resources online to help you answer these questions, there is an extent of internal readiness required before you should even kick-start an SIEM implementation. This paper is set to throw light on what those important components are and why you should be ready. Pre-implementation readiness Readiness Ensure that time is synced across all your log-generating devices with precision. If you plan to have collectors across different time zones, ensure that the SIEM product has provision to normalize time before it is stored in its log database. Ensure that you have basic level of hardening done across devices. Consider running malware scans on all systems which have produced huge number of antivirus event logs and network botnet hits. These systems are the noisiest ones. If a system cannot be treated in the first place, consider reimaging it completely. If you feel user awareness is lacking, consider providing targeted training to users with high levels of out-of-ordinary usage (you get the idea). Enforce your acceptable usage policy if you feel there is no result even after the training. Consider compatibility with existing log analytics systems. Know your applicable SIEM use cases. Use cases are the typical types of offences you intend to catch with your SIEM. Reason Investigating incidents is very tedious if time is not consistent and correlation is not possible due to sequence of event missing. Normalizing time to HQ time is necessary for the above reason. Generally devices with less hardening produce more noise in the network than devices that are well hardened. These systems create a lot of noise, resulting in huge increase in the log events created. The lesser the EPS, the better would be the performance of the SIEM. The root cause can be a highly-infected system or a very careless user. Users with very little awareness are the weakest link in the human chain. Even the best SIEM cannot protect you if your users lack basic information security awareness. Most analytics systems that currently ingest logs and produce insight cannot coexist with SIEM. You need to decide whether it is okay to do away or determine the ability to obtain similar analytics report from SIEM. If you are not setting up custom use cases, you will only be using your SIEM to store logs and its functionality will be limited to that of an IPS based on its built-in signatures. 3

Questions to ask your SIEM vendor 1. 2. 3. 4. 5. Licensing: Most SIEM vendors size the hardware and the license based on events per second and retention required. It is important to size the requirement not only based on today s volume but also by projecting a reasonable growth for the next two years. While it is good to size it really high from an operational perspective, it will make you pay more at the same time, you use your common sense as well, since vendors will always push for a higher EPS (Earnings Per Share) calculation. Supported log formats and products: Ensure that all your critical devices such as firewall, antivirus, VPN Gateway, IPS, load balancer, web application firewall (WAF), and anti-spam that monitor your security perimeter is covered and their log formats are fully supported by the SIEM product. When in doubt, ask for a pilot or demo. Retention of logs is very important. Ensure that you are both able to retain logs online for a reasonable period such as 90 days, and store it beyond as per your organization s retention policy. You need to export logs out of the box for this purpose. Ensure that this is allowed and you are able to export in a non-proprietary format (just in case). Do your homework: Compare similar products in the price range and understand what is included and what is not in detail, ask your managed services partner such as GAVS when in doubt. Management and monitoring: SIEM is a niche space and your internal IT may not be equipped for handling both the optimization and specialized monitoring skills. Either plan to get your internal team to be trained or get in touch with a managed service provider like GAVS to help you get a smooth experience right from product selection to implementation, tuning, and 24/7 monitoring from our security operations centre. Conclusion With the current trends involving security breach disclosures from big banners, it has become evident that security investments are not fully effective in countermeasures against powerful threat actors. Choosing the right products and the right partners is a sine qua non to stay in business. Feel free to reach out to us with respect to any of your existing or proposed plan to implement security analytics solutions, and we will do our best to assist you as a trusted partner in information security. References: 1. 2. 3. PCI DSS Standard V 3.1 retrieved 29th August 2015 from PCI Security Standards Council, https://www.pcisecuritystandards.org/documents/pci_dss_v3-1.pdf HIPAA Administrative safeguards retrieved on 2nd September 2015 from the U.S. Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf HIPAA Technical safeguards retrieved on 2nd September 2015 from the U.S. Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf 2015 GAVS Technologies. All rights reserved. 4

Author Profile Hari is an ethical hacker, CISA (Certified Information Systems Auditor) and CISM (Certified Information Systems Manager). He has around 9+ years of experience in defensive and offensive security background in Banking and IT. He is currently being consulted by GAVS clients to improve their security governance and compliance. 5

About GAVS GAVS Technologies (GAVS) is a global IT services & solutions provider for customers across multiple industry take advantage of futuristic technologies like Cloud, IoT, Managed Infrastructure Services, and Security services. GAVS has been recognized as an emerging player in the Healthcare Provider IT outsourcing sector by Everest Group, and as a prominent India-based Remote Infrastructure Management player by Gartner. USA GAVS Technologies N.A., Inc 10901 W 120th Avenue, Suite 110, Tel: +1 303 782 0402 Fax: +1 303 782 0403 GAVS Technologies N.A., Inc 116 Village Blvd, Suite 200, Princeton. New Jersey 08540, USA. Tel: +1 609 951 2256/7 Fax: +1 609 520 1702 UK GAVS Technologies (Europe) Ltd. 3000 Hillswood Drive, Hillswood Business Park, Chertsey KT16 ORS, United Kingdom Tel: + 44 (0) 1932 796564 INDIA GAVS Technologies Pvt. Ltd. No.11, Old Mahabalipuram Road, Sholinganallur, Chennai, India - 600 119 Tel: +91 44 6669 4287 Middle East GAVS Technologies LLC Knowledge Oasis, Muscat, Rusayl, Sultanate of Oman Tel: + +968 24449301 GAVS Technologies Thuraiya Tower 1 Dubai Internet City Dubai, UAE Tel: +971-4-4541234 inquiry@gavstech.com 2015 GAVS Technologies. All rights reserved. www.gavstech.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information