SIEM - All Articles - CISO Platform2024-03-29T11:22:37Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/SIEMHow effective is your SIEM Implementation? - CISO Platform<https://www.cisoplatform.com/profiles/blogs/how-effective-is-your-siem-implementation2014-05-01T19:00:00.000Z2014-05-01T19:00:00.000Z23j0c848tmyvuhttps://www.cisoplatform.com/members/23j0c848tmyvu<div><p><span style="font-size:12pt;color:#333333;font-family:arial, helvetica, sans-serif;"><br /> During the last few penetration testing conducted for certain organizations, we have discovered a surprising fact that almost all the SIEM implementation had gaps on the implementation levels. For example, in certain cases, SIEM did not even detect at all when the internal network was conducted with rigorous penetration testing.</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3">I am not saying that all the SIEM implements are as bad as stated; however, it is mandatory to find out if your SIEM implementation is actually as effective as you perceive it.</span></p><p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">( <span id="docs-internal-guid-04bab18d-0000-d82c-9d1d-870537e16157"><span>Read More:</span> <strong><a href="http://www.cisoplatform.com/profiles/blogs/top-10-incident-response-siem-talks-from-rsa-conference-2016">Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA)</a></strong></span></span><b> </b><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">)</span></p><p></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><strong><span style="font-size:1.17em;">How to find out if your SIEM implementation is effective?</span></strong></span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3">Following are few steps you can find out if your SIEM implementation is effective.</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>Ask Right Questions: </b>One of the great ways to figure out effective implementation of SIEM is to ask certain questions to your Security Team. Some of my favorite questions are as follows:</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>1. Does your SIEM Dashboard have too many non-actionable alerts?</b> If yes, SIEM is either not monitoring right metrics or alerts are not prioritized, or alerts are not linked to actionable tasks.</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>2. Does your SIEM display and reports critical metrics on Dashboards?</b></span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>3. Does your SIEM Dashboard support Drill down Functionality?</b> If no, probably your security team is spending too much time on finding out details of critical alerts which are probably false positives.</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>4. Does your SIEM detect early sign of Attacks on Internal and External Networks?</b> Some of the early signs of attacks are Ping Sweeping, Port Scanning, Service Fingerprinting and Crawling of Web Apps etc.</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>5. Does your SIEM detect classical internal network attacks like ARP Poisoning, MITM Attacks, Exploitation, and New Devices connecting to network?</b> If no, probably, your internal networks are at high risk of being misused by internal attackers, malwares viruses etc.</span></p><p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">( Watch more :</span> <strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-3"><a href="http://www.cisoplatform.com/video/attacks-on-smart-tv-and-connected-smart-devices">Attacks on Smart TV and Connected Smart Devices</a></span></strong><b> </b><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">)</span></p><p></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>Conduct a Penetration Testing:</b> One of the great ways to verify your SIEM implementation is to conduct a penetration test on your network. In best case, do not notify your SIEM monitoring team and be ready to get few surprises.</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><b>3rd Party SIEM Review and Auditing:</b> Get your SIEM implementation (primarily configuration and integrations) reviews and audited either by external vendors or internal different teams.</span></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3">Finally create actionable plan to bridge any gaps that you have discovered in your SIEM implementation.</span></p><p></p><p><span style="color:#333333;font-family:arial, helvetica, sans-serif;" class="font-size-3"><strong>Courtesy: iViZ Blog (Author: Jitendra Singh Chauhan) </strong></span></p><p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3"><strong>Source: <a href="http://www.ivizsecurity.com/blog/penetration-testing/how-effective-is-your-siem-implementation/"><span style="color:#333333;">http://www.ivizsecurity.com/blog/penetration-testing/how-effective-is-your-siem-implementation/</span></a> <br /></strong></span></p><p></p><p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3"><em>What are your tips for SIEM Implementation? Share your thoughts in the comments below. </em></span></p><p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3"><em>Or</em> </span><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-3"><a href="http://www.cisoplatform.com/profiles/blog/new"></a><a href="http://www.cisoplatform.com/profiles/blog/new">Click here to write an article at CISO Platform</a></span></strong><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3"><b> </b><br /></span></p><p></p></div>Demystifying Security Analytics: Data, Methods, Use Cases (RSA Conference 2016)https://www.cisoplatform.com/profiles/blogs/demystifying-security-analytics-data-methods-use-cases-rsa-confer2016-04-04T07:00:00.000Z2016-04-04T07:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p></p>
<p><span class="font-size-5">Demystifying Security Analytics: Data, Methods, Use Cases</span></p>
<p><span><span>Many vendors sell “security analytics” tools. Also, some organizations built their own security analytics toolsets and capabilities using Big Data technologies and approaches. How do you find the right approach for your organization and benefit from this analytics boom? How to start your security analytics project and how to mature the capabilities?</span></span></p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5">Speakers</span></p>
<p><strong><span>Anton Chuvakin</span></strong> <span>(</span><strong><span> <span><a href="http://twitter.com/anton_chuvakin"></a><a class="in-cell-link" href="http://twitter.com/anton_chuvakin" target="_blank">@anton_chuvakin</a> </span></span></strong><span><span>)</span></span></p>
<p><span><span><a href="http://twitter.com/anton_chuvakin"></a><span>Research Vice President, Gartner<br /> <br /> Anton Chuvakin is a Research Vice President in Gartner for Technical Professionals (GTP) Security and Risk Management group. Before Chuvakin joined Gartner, his job responsibilities included security product management, evangelist, research, competitive analysis, PCI DSS compliance, and SIEM development and implementation. He is an author of the books “Security Warrior” and “PCI Compliance” and a contributor to “Know Your Enemy II,” “Information Security Management Handbook” and other books. He has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI DSS and security management. His blog “Security Warrior” was one of the most popular in the industry.</span></span></span></p>
<p></p>
<p></p>
<p><span class="font-size-5">Detailed Presentation:</span></p>
<p><span class="font-size-6"> </span></p>
<p><iframe width="595" height="485" src="//www.slideshare.net/slideshow/embed_code/key/DmLD8jjjvcdyy8" frameborder="0"></iframe>
</p>
<div style="margin-bottom:5px;"><strong><a href="//www.slideshare.net/cisoplatform7/demystifying-security-analytics-data-methods-use-cases" title="Demystifying Security Analytics: Data, Methods, Use Cases" target="_blank">Demystifying Security Analytics: Data, Methods, Use Cases</a></strong> from <strong><a target="_blank" href="//www.slideshare.net/cisoplatform7">Priyanka Aash</a></strong></div>
<div style="margin-bottom:5px;"></div>
<div style="margin-bottom:5px;"><strong>(Source: RSA USA 2016, San Francisco)</strong></div>
<p></p>
<p><span class="font-size-4"><a href="http://event.cisoplatform.com/quick-member-sign-up-content/" target="_blank"><img width="750" src="{{#staticFileLink}}8669803085,original{{/staticFileLink}}" class="align-center" alt="8669803085?profile=original" /></a></span></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p></p></div>Open source network security:Top 10 Open Source Software Security Toolshttps://www.cisoplatform.com/profiles/blogs/top-10-open-source-or-free-it-security-tools2016-09-27T05:30:00.000Z2016-09-27T05:30:00.000ZVaibhav Singhal (CISO Platform)https://www.cisoplatform.com/members/VaibhavSinghalCISOPlatform<div><p>Short of resources, but still want to have a strong IT-security ecosystem? There are multiple tools in the market specially for small to medium enterprises who can use these open source tools. Although, they can't match the capabilities as provided by the premium tools provided by big vendors which comes with hefty price tags. But still they provide quite a decent features without burning your pocket. We bring you the list of <strong>Top 10 Open Source or Free IT-Security Tools:-</strong></p><p></p><p><span class="font-size-4"><span><span style="font-size:13px;">1.</span><span style="color:#ff6600;"><em style="color:#3366ff;font-family:arial, helvetica, sans-serif;font-weight:bold;"> </em><span style="color:#3366ff;"><strong><span style="text-decoration:underline;"><a href="http://blog.securityonion.net/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Security Onion</span></a></span></strong></span></span></span></span><span style="text-decoration:underline;"> </span><strong>(Category: Package with multiple capabilities)</strong> is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, Network Miner, and many other security tools. It is a great asset in the defender’s toolkit. It is a Linux distro for intrusion detection, network security monitoring, and log management.</p><p></p><p>2. <span style="color:#ff6600;"><span class="font-size-4" style="color:#3366ff;"><span style="text-decoration:underline;"><strong><a href="http://ossec.github.io/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">OSSEC</span></a></strong></span></span> </span><strong>(Category: IDS/IPS)</strong> is fully open source and free for your use. You can tailor OSSEC for your security needs through its extensive configuration options, adding your custom alert rules and writing scripts that take actions in response to security alerts. You are free to modify the source code to add new capabilities. OSSEC watches it all, actively monitoring all aspects of Unix system activity with file integrity monitoring, log monitoring, root check, and process monitoring. </p><p><span style="font-size:12pt;"><br /> ( Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/top-it-security-conferences-in-the-world" style="font-size:12pt;">Top IT Security Conferences In The World</a><span style="font-size:12pt;"> )</span></p><p></p><p>3. <strong><span style="text-decoration:underline;font-family:arial, helvetica, sans-serif;color:#3366ff;" class="font-size-4"><a href="https://www.cuckoosandbox.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Cuckoo Sandbox</span></a></span> (Category: Endpoint Detection and Response)</strong> is an advanced, extremely modular, and 100% open malware analysis system with infinite application opportunities. By default, it is able to:</p><ul><li>Analyze many different malicious files (executables, document exploits, Java applets) as well as malicious websites, in Windows, OS X, Linux, and Android virtualized environments.</li><li>Trace API calls and general behavior of the file.</li><li>Dump and analyze network traffic, even when encrypted.</li><li>Perform advanced memory analysis of the infected virtualized system with integrated support for Volatility.</li></ul><p></p><p>4. <strong><span style="text-decoration:underline;color:#3366ff;"><span class="font-size-4"><a href="https://cirt.net/nikto2" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Nikto</span></a></span></span> (Category: Application Security)</strong> is an extremely popular web application vulnerability scanner. Web application vulnerability scanners are designed to examine a web server to find security issues. Identifying security problems proactively, and fixing them, is an important step towards ensuring the security of your web servers. It checks for a number of dangerous conditions and vulnerable software. Running it on a regular basis will ensure that you identify common problems in your web server or web applications.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li> SSL Support (Unix with OpenSSL or maybe Windows with Active State's Perl/NetSSL) </li><li> Full HTTP proxy support</li><li> Checks for outdated server components</li><li> Save reports in plain text, XML, HTML, NBE or CSV </li><li> Template engine to easily customize reports </li><li> Scan multiple ports on a server, or multiple servers via input file (including nmap output)</li></ul><p></p><p>5. <strong><span style="text-decoration:underline;color:#3366ff;"><span style="font-family:arial, helvetica, sans-serif;text-decoration:underline;" class="font-size-4"><a href="https://www.metasploit.com/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Metasploit</span></a></span></span><span style="text-decoration:underline;color:#ff6600;" class="font-size-4"><em> </em></span>(Category: Vulnerability Assessment)</strong> A collaboration of the open source community and Rapid7. Their penetration testing software, Metasploit, helps verify vulnerabilities and manage security assessments.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li><strong>Utilize world's largest exploit database:</strong> Leading the Metasploit project gives Rapid7 unique insights into the latest attacker methods and mindset. Rapid7 works with the community to add an average of 1 new exploit per day, currently counting more than 1,300 exploits and more than 2,000 modules.</li></ul><ul><li><strong>Simulate real-world attacks against your defenses:</strong> Metasploit evades leading anti-virus solutions 90% of the time and enables you to completely take over a machine you have compromised from over 200 modules.</li></ul><ul><li><strong>Uncover weak and reused credentials:</strong> Test your network for weak and reused passwords. Going beyond just cracking operating system accounts, Metasploit Pro can run brute–force attacks against over 20 account types, including databases, web servers, and remote administration solutions</li></ul><p></p><p><strong>6. <span style="text-decoration:underline;color:#3366ff;"><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.bro.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Bro</span></a></span></span> (Category: IDS/IPS) </strong>is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well. Well-grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber infrastructure. Bro's user community includes major universities, research labs, super-computing centers, and open-science communities.</p><p><span style="font-size:12pt;"><br /> ( Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/top-6-reasons-why-datalossprevention-implementation-fails" style="font-size:12pt;">Top 6 Reasons Why Data Loss Prevention (DLP) Implementation Fails</a><span style="font-size:12pt;"> )</span></p><p></p><p>7. <span style="text-decoration:underline;color:#3366ff;"><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.wireshark.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Wireshark</span></a></span></strong></span> <strong>(Category: Package with multiple capabilities)</strong> It is the one of the foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li>Deep inspection of hundreds of protocols, with more being added all the time</li><li>Live capture and offline analysis</li><li>Standard three-pane packet browser</li><li>Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others</li><li>Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility</li></ul><p></p><p>8. <strong><span style="text-decoration:underline;color:#3366ff;"><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="http://openvas.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">OpenVAS</span></a></span></span> (Category: Vulnerability Assessment)</strong> It is the advanced Open Source vulnerability scanner and manager. It is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The powerful and comprehensive solution is available as Free Software and maintained on a permanent basis.</p><p></p><p>9. <span style="text-decoration:underline;color:#3366ff;"><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.kali.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Kali Linux</span></a></span></strong></span> <strong>(Category: Package with multiple capabilities)</strong> is an open source debian distribution that has pre-installed pen testing tools.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li><strong>Full Customization of Kali ISOs:</strong> Full customization of Kali ISOs with live-build allowing you to create your own Kali Linux images – Kali Linux is heavily integrated with live-build, allowing endless flexibility in customizing and tailoring every aspect of your Kali Linux ISO images.</li></ul><ul><li><strong>Kali Linux ISO of Doom and Other Kali Recipes:</strong> The Kali Linux ISO of doom – a great example of the flexibility of live-build, and the types and complexity of customization possible.</li></ul><ul><li><strong>Kali Linux Live USB with Multiple Persistence Stores:</strong> Kali Linux Live USB with multiple persistence stores – What’s more, Kali Linux supports multiple persistence USB stores on a single USB drive.</li></ul><p></p><p>10. <span style="text-decoration:underline;color:#3366ff;"><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.alienvault.com/products/ossim" target="_blank"><span style="color:#3366ff;text-decoration:underline;">OSSIM, Alien Vault's</span></a></span></strong></span> <strong>(Category: Security Information and Event Management)</strong> Open Source Security Information and Event Management (SIEM) product, provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.</p><p></p><p><span id="docs-internal-guid-1ff6476f-6a3c-78d9-3067-1480fc4ebbe5" class="font-size-3">( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/top-10-incident-response-siem-talks-from-rsa-conference-2016">Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA)</a> )</span></p><p></p><p><span class="font-size-4"><em>What are the IT Security Tools you use the most & find very helpful ? Share with us in comments below.</em></span></p><p></p></div>Security Incident & Event Management (SIEM) Framework For Product Evaluationhttps://www.cisoplatform.com/profiles/blogs/security-incident-event-management-siem-framework-for-product-eva1999-11-30T06:30:00.000Z1999-11-30T06:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>Author - Anil Upadhyay, DM - ITGS, ITSD, Gujarat Gas Limited</p>
<p><span>We have listed a Key Parameter are required for Security Incident and Event Management and The Framework was attached at the end.</span></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/security-incident-event-management-siem-framework-for-product-eva" target="_blank"><img width="750" src="{{#staticFileLink}}8669804677,original{{/staticFileLink}}" class="align-full" alt="8669804677?profile=original" /></a></p>
<p></p>
<p></p>
<p><strong><span class="font-size-5">Major Parameters To Consider :<br /> <br /></span></strong></p>
<ol>
<li><p>Ability to identify non-compliant machines and network activities based on Organisational Policies and Procedures.</p>
</li>
<li><p>Ability to demonstrate compliance and/or due diligence, with respect to ISO 27001 guidelines, Account management, Configuration Management, Authentication, Vulnerability Management</p>
</li>
<li><p>Ability to Identify and respond to Organisational policy violations. Web Policies of explicit material, use of clear text protocols, or Access policies, Organisational Information Security Policy.</p>
</li>
<li><p>Ability to Risk management of threats and exposed vulnerabilities. Identify and respond to attacks against the organization’s information systems from external threats. This includes monitoring for worms, viruses, denial-of-service, and other similar attack vectors.</p>
</li>
<li><p>Ability to identify compute activity trends and raise alarms for potential outbreaks (e.g., from worms)</p>
</li>
<li><p>Ability to identify and notify Intrusions. Isolate actual breaches while recording and suppressing false positives.</p>
</li>
<li><p>Ability to identify Suspicions activity in the network, monitor and record potentially malicious activity and raise alarms on thresholds.</p>
</li>
<li><p>Ability to identify networks being subjected to potential denial of service attacks.</p>
</li>
<li><p>Ability to identify and respond to attacks against the organization’s information systems from internal threats. The focus is to identify activities that could result in theft of intellectual property and/or intelligence.</p>
</li>
<li><p>Ability to record and generate an alarm for data leakage, track and reconstruct insider activities and identify exceptions</p>
</li>
<li><p>Ability to track risk i.e User Activity with early warning indicators.</p>
</li>
<li><p>Ability to</p>
</li>
</ol></div>Comparing SIEM, Big Data & Behavior Analytics - Security Management Solutionshttps://www.cisoplatform.com/profiles/blogs/comparing-siem-big-data-behavior-analytics-security-management-so2017-06-14T07:00:00.000Z2017-06-14T07:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>With Big Data and Behavior Analytics advances, the need of an SIEM at the enterprise level may be a question. This question is addressed in this report. It analyses, dissects and tries to find out the pros and cons of both sides.</p>
<p><a href="https://docs.google.com/a/firecompass.com/forms/d/e/1FAIpQLScCPcnLbFqt_jL_u4DhmmhMigiWfHJQIb1WYx0kSvwbDgpqcA/viewform" target="_blank">>> Download</a></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/comparing-siem-big-data-behavior-analytics-security-management-so" target="_blank"><img width="750" src="{{#staticFileLink}}8669818500,original{{/staticFileLink}}" class="align-full" alt="8669818500?profile=original" /></a></p>
<p></p>
<p><strong><span class="font-size-5">Why Read This Report ?</span></strong></p>
<ul>
<li>Evaluate if SIEM is a need for your organization (in presence of Big data & behavior analytics) ?</li>
<li>How to build and effective & mature SIEM?</li>
<li>How to build SIEM infrastructure to reduce false positives?</li>
<li>How to scale the security detection in an SIEM?</li>
</ul>
<p></p>
<p>& more (includes data security, event logs...)</p>
<p></p>
<p><span class="font-size-5"><a href="https://docs.google.com/a/firecompass.com/forms/d/e/1FAIpQLScCPcnLbFqt_jL_u4DhmmhMigiWfHJQIb1WYx0kSvwbDgpqcA/viewform" target="_blank">>> Download</a></span></p>
<p></p></div>Top 10 SIEM Log Sources in Real Life?https://www.cisoplatform.com/profiles/blogs/top-10-siem-log-sources-in-real-life2019-08-26T22:30:00.000Z2019-08-26T22:30:00.000ZDr. Anton Chuvakinhttps://www.cisoplatform.com/members/DrAntonChuvakin<div><p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr"><a href="https://www.cisoplatform.com/profiles/blogs/top-10-siem-log-sources-in-real-life" target="_blank"><img class="align-center" src="{{#staticFileLink}}8669824063,original{{/staticFileLink}}" alt="8669824063?profile=original" width="550" /></a></p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr"> </p>
<p id="ab33" class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">One of the most common questions I received in <a class="cj cf kt ku kv kw" href="https://blogs.gartner.com/anton-chuvakin/2019/06/06/the-last-blog-post/" target="_blank">my analyst years</a> of covering <a class="cj cf kt ku kv kw" href="https://blogs.gartner.com/blog/category/all/?c=siem" target="_blank">SIEM</a> and other security monitoring technologies was “what data sources to <strong>integrate into my SIEM first?”</strong></p>
<p id="a2f5" class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">And of course the only honest answer to this question is: <strong class="kg ks">it depends on your security monitoring use cases </strong>and <a class="cj cf kt ku kv kw" href="https://www.gartner.com/en/documents/3844970" target="_blank"><strong class="kg ks">how you prioritize them</strong></a><strong class="kg ks">.</strong>Naturally, some people then ask <a class="cj cf kt ku kv kw" href="https://blogs.gartner.com/anton-chuvakin/2018/07/20/2018-popular-siem-starter-use-cases/" target="_blank">“ok, so then what are my use cases?”</a> (and then there are <a class="cj cf kt ku kv kw" href="https://blogs.gartner.com/anton-chuvakin/2015/11/11/fun-challenges-with-siem-use-cases/" target="_blank">these challenges</a> too). Finally, perhaps in <a class="cj cf kt ku kv kw" href="https://blogs.gartner.com/anton-chuvakin/2018/10/18/our-how-to-architect-and-deploy-a-siem-solution-publishes/" target="_blank">this paper</a>, we made a list of popular log sources aggregated from many organizations. Admittedly, the list may end up being useless for organizations with different security needs and challenges.</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">Joking aside, big organizations often make the decision to integrate a log source into their SIEM / UEBA based on factors <strong class="kg ks">other </strong>than the pure security necessity.</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">Overall, such factors may include:</p>
<ul>
<li class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr kx ky kz">Necessity for detection</li>
<li class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Necessity for alert triage and incident response</li>
<li class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Necessity as context data for another log source</li>
<li class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Compliance requirements to collect and retain this log type</li>
<li class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Compliance requirements to monitor this data source and/or system</li>
<li class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Ease of integration of the log source</li>
<li id="f9a1" class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Parser availability from the vendor</li>
<li class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Ability to actually transfer the log data to a SIEM</li>
<li id="a817" class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Other planned log sources that compete for attention</li>
<li id="dad5" class="ke kf bn bd kg b kh la kj lb kl lc kn ld kp le kr kx ky kz">Data volume of the log source</li>
</ul>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">And of course for users of those <em class="lf">sad SIEM products that charge per gigabyte or EPS</em> [oh… wait … this is still <em class="lf">almost </em>everybody! :-)], the <strong class="kg ks">cost of introducing a new data source into the platform</strong> may be one of the BIG deciding factors.</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">Be honest: will you include a data source that will eat up 10% of your overall SIEM license if you only plan to use it as context — valuable though it may be — for another data source? Namely, if you don’t plan to write any detection rules or other logic based on this telemetry (DHCP being my favorite example here — how many detections rely solely on DHCP logs? None or very few at most).</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">As a result, my experience with SIEM deployments (going back to 2002, if you are curious) taught me that few people will include DNS or DHCP logs during their initial phases of SIEM roll-out. In fact, some will <em class="lf">never</em> include them in their SIEM! When asked why, those people explain that while they are convinced of the <em class="lf">general</em> utility of DNS logs, they do not see much value in each individual message that <a class="cj cf kt ku kv kw" href="https://blogs.gartner.com/anton-chuvakin/2014/06/17/on-siem-tool-and-operation-metrics/" target="_blank">costs money to collect</a>. And there are so many of those messages! Over the years, I’ve usually called them <strong class="kg ks">“sparse value logs” </strong>where the value is in getting the bulk rather than in getting some particularly valuable messages like say Windows Security Event ID 1102 …</p>
<p id="f68e" class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">As a result, SIEM operators have doubts about paying for inclusion of this data into their SIEM. The same doubt occasionally appears even for firewall logs, <a class="cj cf kt ku kv kw" href="https://blogs.gartner.com/anton-chuvakin/2016/07/21/can-i-detect-advanced-threats-with-just-flowsipfix/" target="_blank">netflow records </a>and many other high volume sources. Thus, web proxy logs, netflow, DNS, DHCP historically ended up in few SIEMs. I recall a client story from a few years back where adding web proxy logs would have 3X’d the volume of log data flowing into a SIEM. That is, web proxy logs were twice the volume of <em class="lf">all </em>other logs they collected.</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">Even more so, very few people will toss all EDR telemetry into a SIEM, and usually limit themselves to EDR alerts. Admittedly, sysmon records are becoming more popular, but perhaps more so in “free” Elastic vs paid SIEM (and this will still cost you in either hardware or public cloud costs — sometimes eye-watering cloud costs at that).</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">In fact, this gave rise to an architecture where one product is used for high-value logs while another product augments it by storing more voluminous logs. However, such as architectures usually have no technical merit and bring up complexity and fragmentation and thus fragility. They do work if there are good APIs in the products (such as to query one telemetry repository from another), but it is useful to remember that they do not offer advantages other than cost.</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">To summarize, in some perfect world I want to make log integration decision based ONLY on the value of such logs to my security goals and, specifically, use cases. However, today’s “popular” licensing models make this very hard.</p>
<p class="ke kf bn bd kg b kh ki kj kk kl km kn ko kp kq kr">Let’s change something!<br /><br />[cross-post from "Anton on Security"]</p></div>SIEM Tools: Implementation Guide and Vendor Evaluation Checklisthttps://www.cisoplatform.com/profiles/blogs/siem-tools-implementation-guide-and-vendor-evaluation-checklist2014-09-16T13:00:00.000Z2014-09-16T13:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p> </p>
<p><span class="font-size-4">Current Project Synopsis:</span></p>
<ul>
<li>Responsible for Information Security of next generation mobile and fixed broadband networks (LTE/WiFi/FTTx) with All-IP networks over a cloud based framework for B2C/B2B markets connecting 200 Million 4G LTE, 50 Million Wifi/FTTx subscribers in top 800 cities of India</li>
<li>Jio’s seamless 4G services using FDD-LTE on 1800 MHz and TDD-LTE on 2300 MHz through an integrated ecosystem, aims to provide unparalleled high quality access to innovative and empowering digital content, applications and services.</li>
</ul>
<p>According to Verizon 2013 data breach report, 84% of exploits & 69% of data exfiltration happens in less than an hour so it’s very critical to have situational awareness i.e. visibility into activities occurring around the enterprise. Proper deployment of next generation SIEM (Security Information & Event Management) tools helps to detect attacks sooner and as a result react more nimbly.</p>
<p>SIEM solutions provide enterprises with network security intelligence and real-time monitoring for network devices, systems, and applications. Using SIEM solutions, IT administrators can mitigate sophisticated cyber attacks, identify the root cause of security incidents, monitor user activity, thwart data breaches and most importantly, meet regulatory compliance requirements.</p>
<p>Most organization think that SIEM solutions have a steep learning curve and are expensive, complex and hard to deploy. Here are few SIEM deployment guidelines and factors you need to consider while evaluating an SIEM Tool. The right SIEM solution is one that can be easily deployed, is cost-effective and meets all your IT security needs with a single tool.</p>
<p>(Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-a-web-application-firewall">Checklist to Evaluate A Cloud Based WAF Vendor</a>)</strong></p>
<p><br /> <span class="font-size-4">SIEM Deployment Guidelines</span></p>
<p>1. Know what is important to security</p>
<ul>
<li>Security Events</li>
<li>Network Flows</li>
<li>Server & Application Logs</li>
<li>Database Activity</li>
<li>Application Contents</li>
</ul>
<p>2. Know what is important to compliance</p>
<ul>
<li>Identity Content</li>
<li>Classification of data</li>
<li>Access to data</li>
<li>Usage of data</li>
</ul>
<p> </p>
<p><br /> <span class="font-size-4">Checklist for SIEM Solution Evaluation</span></p>
<p>1. <strong>Log Collection</strong></p>
<ul>
<li>EPS (events per second) rate at which your IT infrastructure sends events should match with your SIEM tool</li>
<li>Should be able to collect logs from heterogeneous sources (Windows, Unix/Linux, Applications, Database, Network Devices ,Firewalls, IPS, IDS)</li>
<li>Capability of agent-less and agent based log collection method</li>
</ul>
<p>2. <strong>Real Time Event Correlations</strong></p>
<ul>
<li>Proactively dealing with threats based on log search, rules and alerts. Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the networks</li>
</ul>
<p>3. <strong>Log Retention</strong></p>
<ul>
<li>Capability to easily retrieve and analyze log data</li>
<li>Should automatically archive all log data from systems, devices and applications to a centralized repository.</li>
</ul>
<p>4.<strong> IT Compliance Reports</strong></p>
<ul>
<li>Out of box regulatory compliance of PCI DSS, ISO 27001, SOX, HIPAA etc</li>
</ul>
<p>5. <strong>User Activity Monitoring</strong></p>
<ul>
<li>Out of box user activity monitoring, privileged user monitoring, audit reporting, Know which user performed the action, what was the result of the action. Source & destination address of the systems /devices used.</li>
</ul>
<p>6. <strong>File Integrity Monitoring</strong></p>
<ul>
<li>Capability to monitor business critical files & folders. </li>
<li>Capture details of when files were created, accessed, viewed, deleted, modified, renamed etc.,</li>
</ul>
<p>7. <strong>Log Forensics</strong></p>
<ul>
<li>Capability to track down a intruder or event activity using log search capability</li>
</ul>
<p>8. <strong>Dashboards</strong></p>
<ul>
<li>Capability to take timely actions & right decisions during network / system anomalies</li>
</ul>
<p>9. <strong>Global Threat Intelligence Feeds</strong></p>
<ul>
<li>Capability to get latest global threat intelligence feeds & carrier grade threat intelligence so as to proactively manage threats. Collaboration among organizations to enhance security </li>
<li>Precise solutions for compromised systems and networks</li>
</ul>
<p>10. <strong>Big Data Analytics</strong></p>
<ul>
<li>Capability to forecast threats using big data, Accurate analysis of structured as well as unstructured data</li>
<li>Constant intelligence gathering to strengthen security</li>
</ul>
<p> </p>
<p>-<em>With Binu Chacko, Head of iSoc(Security Operations Center) & Digital Forensics, Reliance Jio Infocomm on 'SIEM Tools: Implementation Guide and Vendor Evaluation Checklist'</em></p>
<p>(Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/checklist-pci-dss-implementation-certification">Checklist for PCI DSS Implementation & Certification</a>)</strong></p></div>