A guide to onboard Security Information and Event Management in your Organization

If your business is like most, you are collecting logs from almost every device with security relevance. The flood of events is probably more than any human can alone correlate. This is the role of the Security Information & Event Management (SIEM) system.

The SIEM collects log data, normalizes it to a consistent format and enables cross-checking of events from multiple systems. They enable detailed reporting and notification to be sent with a high degree of confidence. SIEM products are also rapidly becoming an important part of regulatory compliance monitoring.

There are a range of factors to check in the checklist from pre-planning to the execution and maintenance stage to embark on SIEM into your organization.

1. Planning:

1. Identify the need for a Security Information/Event Management (SIEM) solution.
   1. What problem are we solving with this solution (log retention, regulatory compliance, security management, tying together alerts from disparate security systems, consolidation of manpower, etc.)?
   2. What are the products from which you will take log data?
      1. Ensure the desired logs can be brought into the SIEM system.
      2. Plan for some degree of excess capacity. Few devices might come up as an ad hoc
      3. Look for the ability to create your own log parsing capabilities if the vendor does not have the capability of reading the logs with a pre-built agent.
      4. Learn the data to determine how it can be used to provide extra value.
      5. Involve data-owners early on, and provide access, to improve data-owner cooperation.
   3. What areas of the business are you going to take data from?
      1. Plan for some excess capacity or the ability to add capacity easily. Few additional customers might come up
   4. What areas of the business are you going to offer services to?
      1. Ensure that the product allows for easy, granular, and secure Access Controls so that access can be provided to only the appropriate level of data
2. Determine the financial viability of a SIEM solution
   1. Software or appliance costs
      1. Central SIEM server or appliance
      2. SIEM Agents or sensors (if licensed per-agent)
      3. Database Servers (if required)
      4. Software modifications needed to support log gathering
   2. Hardware costs
      1. Servers to run the SIEM (unless deploying an appliance solution)
      2. Storage (Local Disk, SAN, or NAS) (if required)
      3. BCP hardware or hardware for a high-availability configuration.
      4. System management hardware (Tape Backup, Monitoring, hardware management, etc.)
      5. Any costs relating to Data Center space
   3. Bandwidth costs – Based on the log volumes, you need to ensure you have adequate bandwidth available.
      1. Log source to log collector data transfer
      2. Log collector to central server data transfer
      3. Data transfer within the SIEM infrastructure
      4. Client to server traffic
      5. Database replication traffic
      6. Server and Database Backup traffic.
   4. Customization costs
      1. Discuss with the SIEM vendors the feasibility and any costs associated with changes you may require to be made to the product
      2. Determine the cost and lead times for any custom agent creation you may require
   5. Maintenance costs
      1. Hardware annual maintenance
      2. Software AMC
   6. Resource (Staffing) costs
      1. Who will do the system admin’s work for your SIEM systems? – cost of the sysadmin
      2. Who will be developing your SIEM content, such as reports, correlation rules, alerts, etc.? – Cost of the technical / Functional consultant
      3. Do you require a DBA (on a full or part time basis)?
      4. Can the costs be shared from other departments? – Utilization of resources
      5. Do you require the services of a Storage Area Network admin (on a full or part time basis)?
3. If an enterprise asset inventory system does not exist already, begin the effort to build that infrastructure 6 months before executing the SIEM. You will need precise asset information to maximize the value of your SIEM system.
4. Determine if an enterprise Identity management solution exists and if you can leverage this for mapping user identities, both for mapping ID’s to users during investigation and also for user access to the SIEM itself.
5. Obtain the most accurate mapping of your network possible prior to the start of the deployment of the SIEM system. Network location is also critical to obtain the most accurate information from your SIEM product.
6. Standardize systems on a single time zone, if the business exists in multiple locations consider standardizing on UTC. Standardized log times are very important to correlation. If this is not possible (or practical) then you will need use time correction at the SIEM agent or build your correlation based on the timestamp assigned to events when they are received by the Manager.
7. The Network Time Protocol –Log times have direct impact on correlation of events. The more drift the less likely the events can be correlated with events from other devices.
8. Ensure the data you want to collect is actually being logged by the devices. Nothing is more disconcerting than being ready to start taking in the logs and finding out that they are not being collected.

2. Systems Analysis:

1. Determine the volume of log data (from all sources) you need to be able to accommodate.
   1. Decide what to log at what level of granularity
   2. Determine which log messages from each log source will be collected by a SIEM solution
   3. Base numbers on maximum projected log volumes
2. Determine the storage requirements (how long do you need to be able to store logs for)?
   1. What is your companies’ log retention period? (how long do you need to keep it online, offline(restorable)
   2. Do you need to replicate database data
   3. Do you need to store raw unmodified log data? If so for how long?
3. Determine how many users the system will need to support – (Authors and Consumers)
4. Determine BCP/DR requirements for the SIEM system
5. Do you require external user authentication (via Active Directory, SSO, or Token)?
   1. Ensure the SIEM supports this mechanism
   2. Ensure your external authentication system is prepared to support the SIEM application.

3. Systems Design:

1. Hardware Requirements (unless an appliance solution is being deployed)
   1. Determine the hardware requirements for SIEM manager and agent servers
2. Design the SIEM architecture
   1. Determine the number of SIEM servers required to support the volume of logs
   2. Determine the number of SIEM servers required to support any organizational separation of functions (Line of Business or geographical region)
   3. Determine the number of servers required to support SIEM agents (some SIEM servers may have limitations on how many agents they can support)
   4. Architect your SIEM environment in multi-tier, distributed model to enhance scalability.
   5. Validate SIEM hardware and architecture design with the vendor to avoid any problems later relating to scalability or performance. Ask the vendor to provide a capacity plan that you can use as a scalability roadmap.
   6. Attempt to design log aggregation points (Centralized syslog server) into the architecture.
   7. Allow for a Development Manager/DB in your architecture. It is possible to crash/lag a system in the process of creating SIEM content (rules, reports, etc.). Having a non-production system to build and test content on will pay big dividends the first time something being written fails and forces a manager restart.
3. Design SIEM network connectivity
4. Design the SIEM database
   1. Determine the disk space requirements for your SIEM database(es)
   2. Include online and offline storage
   3. determine disk space, speed, and expansion capabilities
   4. Is SAN storage a requirement?
   5. Determine requirements of the SIEM vendor, many have specific requirements for the DB disk space (raid type, raw disk versus file system, number of spindles, partitioning, etc.)
   6. Allocate space for any database backup or replication requirements
   7. Allocate space for restoring and re-importing of archived data
5. Train the Implementation team to deploy the SIEM product

4. Implementation:

1. Racking and Stacking of the prerequisite hardware, SIEM (If the SIEM is a physical appliance)
2. Install selected Operating System
   1. Configure to local standards.
   2. Patch OS to current levels
3. Connect and configure network
   1. Assign IP addresses
   2. Connect network
   3. Test connectivity
   4. est any network related High availability features
   5. Configure any SAN connectivity (if required)
4. Install SIEM software or deploy an appliance
   1. Load DB (unless installed by SIEM setup)
   2. Load any DB High Availability solution you are going to run now as well.
   3. Test any Database high availability features
   4. Configure SIEM Server/Manager Software
5. Install SIEM agents/sensors
6. Install any locally required System management software and backup software
7. Design and Implement access controls on user groups to restrict the visibility of events where appropriate.
   1. Many groups only need to see their log data and do not need to be able to see all events in the system
   2. Build access control lists based on group membership
   3. Log the logs and audit the auditors: ensure all SIEM access and audit logs are kept so there is a record of SIEM usage
8. Build initial SIEM Content/Dashboards
   1. Build content for multiple levels of technical knowledge
   2. Managers are typically looking for high level abstracted data
   3. Engineers are looking for content with very detailed information
   4. Determine requirements for dashboards, schedule recurring reports/dashboards to run automatically

5. Integration and Testing:

1. Configure SIEM Agent/Sensor to transmit events to the SIEM Server/Manager
2. Validate events are being received at the server from the agents
   1. Check to see all expected events are being received
   2. Validate the events are being parsed and classified properly
3. Validate SIEM is filtering and processing events properly
4. Validate data normalization
5. Validate correlation function
6. Validate database archiving capability and restore functionality
7. Test notification functionality
8. Test the precision and dissemination of reports
9. Test any High Availability configuration & current maximum capacity. A stress test prior to brining in any production data is highly advisable.

6. UAT, GO Live

1. Provide access to sample user community. Validate the content suitability of these users for their assigned roles
2. Build production accounts for the users with appropriate rights and disseminate
3. Training of End Users and SOC Personnel in SIEM operation
4. Migrate business processes to new SIEM environment
5. Integrate into the Security Incident Response/Incident Handling process/team
6. Educate internal groups on capabilities and limitations of the SIEM product
7. Filter/whitelist events (adhering to the compliance) to prevent your database from getting filled with useless events. While you would like to have every log at your fingertips, the cost is storage and bandwidth can be excessive.

7. Maintenance:

1. Provide access to sample user community. Validate the content suitability of these users for their assigned roles
2. Build production accounts for the users with appropriate rights and disseminate
3. Training of End Users and SOC Personnel in SIEM operation
4. Migrate business processes to new SIEM environment
5. Integrate into the Security Incident Response/Incident Handling process/team
6. Educate internal groups on capabilities and limitations of the SIEM product
7. Filter/whitelist events (adhering to the compliance) to prevent your database from getting filled with useless events. While you would like to have every log at your fingertips, the cost is storage and bandwidth can be excessive.