Another Cure for Your Heartburn: 5 (More) Keys to a Successful SIEM Implementation

Yesterday we posted a blog titled “5 Keys to a Successful SIEM Implementation.” Today we’re publishing the second 5 keys, which are from our e-book, Top 10 SIEM Implementer’s Checklist.

Best Practice #6: Compliance and audit data requirements: Understand applicable industry, regulatory and legal obligations for security and risk management. Compliance reports and dashboards should be refined to support security analysts, internal and external auditors and the CIO or CSO. Be aware of any technical constraints that may impact performing investigations—without being able to trace back and analyze the necessary data, a firm’s liability, penalty and notification exposure may be greater than actual.

 

Best Practice #7: Monitoring and reporting requirements: Establish key monitoring and reporting requirements including objectives, targets, capacity requirements, compliance reports, implementation and workflow with key constituents prior to deployment of any technical tools. It is important to take a phased approach to achieve success – an “All At Once” approach will usually falter due to the human factors involving organizational (and individual) education, changing requirements and accountability.

Best Practice #8: Deployment and infrastructure activation: Manage the deployment in phases, maintain source activation and consistent delivery of event and log data and refine the system continuously. On-going maintenance costs and growth plans need to be incorporated as part of the overall planning to obtain a true Total Cost of Ownership (TCO). Lack of documented procedures to ensure appropriate activation and access to event log data will lead to monitoring and audit gaps.

Best Practice #9: Network and host defenses: Aggregate IDS/IPS alerting, conduct event consolidation on like alerts, filter IDS/IPS false positives and facilitate incident management. Integrate incident management / case management tools and generate test traffic to test SIEM integration with IDS and incident response processes. It is important to detect false positive alerts such as the detection of benign attacks or malicious activities by an IDS/IPS that otherwise require security staff to respond.

Best Practice #10: Network and system resource integrity: Understanding the infrastructure, from deployed devices, systems, applications to configuration, vulnerability and patch details is required to assure and maintain operating integrity. For resource integrity, it is necessary to understand the complete context of who, what, when, why and where information with regards to an approved, unauthorized or undocumented change.

 

 

Authors

Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud security big data RSA analytics compliance Q&A PCI DSS HIPAA Sarbanes Oxley (SOX) Target breach

About Accelops

AccelOps provides the leading IT operations analytics platform for the modern data center. The virtual appliance software monitors security, performance and compliance in cloud and virtualized infrastructures – all from a single screen.

 

AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security, applications and users. AccelOps’ patented analytics engine with cross-correlation and statistical anomaly detection sends real-time alerts when deviations occur that indicate a security or performance-impacting event.

 

The AccelOps platform scales seamlessly and provides unmatched delivery of proactive security and operational intelligence, allowing organizations to be more responsive and competitive as they expand their IT capabilities. 

Keep Social

twitter facebook linkedin