Current Project Synopsis:
- Responsible for Information Security of next generation mobile and fixed broadband networks (LTE/WiFi/FTTx) with All-IP networks over a cloud based framework for B2C/B2B markets connecting 200 Million 4G LTE, 50 Million Wifi/FTTx subscribers in top 800 cities of India
- Jio’s seamless 4G services using FDD-LTE on 1800 MHz and TDD-LTE on 2300 MHz through an integrated ecosystem, aims to provide unparalleled high quality access to innovative and empowering digital content, applications and services.
According to Verizon 2013 data breach report, 84% of exploits & 69% of data exfiltration happens in less than an hour so it’s very critical to have situational awareness i.e. visibility into activities occurring around the enterprise. Proper deployment of next generation SIEM (Security Information & Event Management) tools helps to detect attacks sooner and as a result react more nimbly.
SIEM solutions provide enterprises with network security intelligence and real-time monitoring for network devices, systems, and applications. Using SIEM solutions, IT administrators can mitigate sophisticated cyber attacks, identify the root cause of security incidents, monitor user activity, thwart data breaches and most importantly, meet regulatory compliance requirements.
Most organization think that SIEM solutions have a steep learning curve and are expensive, complex and hard to deploy. Here are few SIEM deployment guidelines and factors you need to consider while evaluating an SIEM Tool. The right SIEM solution is one that can be easily deployed, is cost-effective and meets all your IT security needs with a single tool.
(Read more: Checklist to Evaluate A Cloud Based WAF Vendor)
SIEM Deployment Guidelines
1. Know what is important to security
- Security Events
- Network Flows
- Server & Application Logs
- Database Activity
- Application Contents
2. Know what is important to compliance
- Identity Content
- Classification of data
- Access to data
- Usage of data
Checklist for SIEM Solution Evaluation
1. Log Collection
- EPS (events per second) rate at which your IT infrastructure sends events should match with your SIEM tool
- Should be able to collect logs from heterogeneous sources (Windows, Unix/Linux, Applications, Database, Network Devices ,Firewalls, IPS, IDS)
- Capability of agent-less and agent based log collection method
2. Real Time Event Correlations
- Proactively dealing with threats based on log search, rules and alerts. Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the networks
3. Log Retention
- Capability to easily retrieve and analyze log data
- Should automatically archive all log data from systems, devices and applications to a centralized repository.
4. IT Compliance Reports
- Out of box regulatory compliance of PCI DSS, ISO 27001, SOX, HIPAA etc
5. User Activity Monitoring
- Out of box user activity monitoring, privileged user monitoring, audit reporting, Know which user performed the action, what was the result of the action. Source & destination address of the systems /devices used.
6. File Integrity Monitoring
- Capability to monitor business critical files & folders.
- Capture details of when files were created, accessed, viewed, deleted, modified, renamed etc.,
7. Log Forensics
- Capability to track down a intruder or event activity using log search capability
- Capability to take timely actions & right decisions during network / system anomalies
9. Global Threat Intelligence Feeds
- Capability to get latest global threat intelligence feeds & carrier grade threat intelligence so as to proactively manage threats. Collaboration among organizations to enhance security
- Precise solutions for compromised systems and networks
10. Big Data Analytics
- Capability to forecast threats using big data, Accurate analysis of structured as well as unstructured data
- Constant intelligence gathering to strengthen security
-With Binu Chacko, Head of iSoc(Security Operations Center) & Digital Forensics, Reliance Jio Infocomm on 'SIEM Tools: Implementation Guide and Vendor Evaluation Checklist'
(Read more: Checklist for PCI DSS Implementation & Certification)
Thanks Avkash for your feedback. Why don't you write an article explaining the key learning of SIEM use cases? Click here to write
Correctly derived parameters.
Just to Add, Most important thing for any successful SIEM implementation is the Use-cases(Correlation Rules).
It has to be derived based on the understanding of the network, type of the logs, type of the data lying in the network, technologies being deployed, type of the business environment which organization is sharing amongst the global market. Use-cases missed is equal to an loophole into the security monitoring.