Not surprisingly, the recent Heartbleed bug has prompted a groundswell of questions about how to effectively implement security information and event management (SIEM) software.
Our e-book, Top 10 SIEM Implementer’s Checklist, takes a deep dive into how to have a successful SIEM implementation, optimize your resources and accelerate your return on investment.
Below is a quick summary of the first five keys to a successful SIEM implementation:
Best Practice #1: Malware control: Centralize malware monitoring, incident responses, assessing and reporting operational impacts from end point to perimeter with regard to ensuring activation and standard use, monitoring and reviewing malware activity, and most importantly, responding to issues. Make sure to include all sources including anti-malware applications, anti-virus, anti-trojan, spam filtering, web filtering and website scanners, DNS, IDS, VA and network flow operational data.
Best Practice #3: Access controls: Consolidate Authentication, Authorization and Accounting (AAA) mechanisms to control appropriate access to resources. Use SIEM rules, alerts and reports to bring together all AAA – successful logins, subsequent secondary logins and user/system activities to facilitate investigations. Track and resolve the “true identity” behind shared credentials. Make sure to put incident response and report review procedures in place prior to activating SIEM rules and reports. Monitor failures in addition to successful accesses to monitor and investigate insider threats including privileged users and consultants.
Best Practice #4: Acceptable use monitoring (UAP): Publish policies for users to understand when, where and how best to use and protect corporate assets and information. Develop watch lists to facilitate monitoring processes for AUP for critical resources, user roles and specific AUP violation scenarios that align to those policies. Extend activity monitoring beyond normal business hours with special focus on critical assets or anomalous behavior. Obtain appropriate legal advice to assure that potential liability for monitoring user activity is understood and addressed. By not having accurate records with regards to the scope of an incident, the resulting financial penalties and reputation risks can be significant.
Best Practice #5: Application defenses: Application defenses is required beyond the perimeter, network and host security defenses need to include application platform monitoring, resource monitoring, web application defenses and database activity monitoring. Incorporate web application firewalls (WAF) to inspect and filter HTTP traffic at the application layer to monitor web and mobile applications. Database logging can be problematic with regards to database performance and database audit table overwrites. The use of shared administrative credentials is another pitfall to watch for.