Don’t boil the ocean. Start with that.

Don’t boil the ocean. Start with that.

Before I dipped my toes into security I did a stint as an application administrator. I was responsible for managing system and application monitoring. More performance and capacity monitoring than anything but there is a clear overlap in tools that capture logs and generate alerts based on thresholds, e.g. an IBM Tivoli monitoring, HP EMS, or Microsoft SCOM and a SIEM.

My employer had just one of those tools at the time I started and then management wanted to implement a second, though I cannot explain the why on that decision. I digress.

I recall specific conversations about the data the tool(s) were gathering. The console was overwhelmingly full with just a few devices being monitored. Rules and response, even rules for response were necessary. I might still have the email from a co-worker who asked if he was to “crawl through the phone to choke a user out if they fat fingered their password again.” At least it was an entertaining time.

I happened to search for “best practices” and tips for setting up a SIEM, after all the SIEM is an extension of good monitoring. I found 5 and 7 step lists from a few vendors and then from SANS a pretty comprehensive and helpful list.
1. log all relevant events
2. define the scope of coverage
3. define what events constitute a threat
4. detail what should be done about them in what time frame
5. document when they occurred and what was done
6. document where both the events and follow up records can be found
7. document how long events and tickets are kept

What I’m going to recommend is counter to what the vendors suggested. Both had items either the 3rd for 4th priority, to collect as much data points as possible. I strongly disagree with this at the outset.

The problem with monitoring tools is noise. Too much noise and we stop listening. Too many false positives and the real positives are ignored. Too much noise and critical events are overlooked. Don’t believe me? Look at Target, or Capitol One or any other major breach where the breached entity had some type of monitoring in place:


1. Establish Requirements First /Identify Compliance Requirements
2. Have a Comprehensive Incident Response Plan (IRP)
a.Detail what should be done about them, by whom, and in what time frame
3. Determine Scope
a.Monitor Access to Critical Resources
b.Defend Your Network Boundaries
4. Begin with a Pilot Run
a.Collect only what you need NOT: As Much data, as Possible
5. Review and modify correlation rules
6. Define what events constitute a threat
a.Know your entity’s risks and appetite for risk
7. Walk through events manually before automation
a.Align this process with your IRP
8. Continuously Refine Your SIEM Deployment
a.With success in one event type, move to another event type
b.Leverage synthetic transactions, crawlers and other tools to simulate events and test your workflow

Votes: 0
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (bi-monthly)

  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

Fireside Chat With Rick Doten (VP - Information Security at Centene Corporation)

  • Description:

    We’re excited to bring you an exclusive fireside chat on "A CISO’s Guide on How to Manage a Dynamic Attack Surface" with Rick Doten (VP - Information Security, Centene Corporation) and Erik Laird (Vice President - North America, FireCompass). In this session, we’ll explore how top CISOs are tackling today’s rapidly expanding attack surface and what it takes to stay ahead of evolving threats in a cloud-first, AI-driven world.

    As…

  • Created by: Biswajit Banerjee
  • Tags: ciso, attack surface management, rick doten, ciso guide

CISO Meetup at BlackHat Las Vegas 2025

  • Description:

    We are excited to welcome you to the CISO Meetup during BlackHat USA 2025 in Las Vegas! Join us for an exclusive networking, meaningful conversations, and community building with top CISOs and cybersecurity leaders from around the globe. 

    Meetup Details:

    Location: Mandalay Bay, Las Vegas …

  • Created by: Biswajit Banerjee
  • Tags: ciso, black hat, black hat 2025, black hat usa