Your SIEM is so much more than a check box for compliance requirements or a place to collect logs. After implementing hundreds of SIEM products in various industries, I recommend a list of must-haves for the tool that is the real-time “face” of your organization. If you do not have the minimum setup on your SIEM listed below, then you may not be taking full advantage of the functionality available in this powerful application.
1. Security Awareness Dashboard– in an enterprise environment, there are probably many security appliances or applications that uses an appliance or third-party software to scan data directed in/out of the environment. It is not uncommon to see 2 gateways for email, DLP, vulnerability scanners, etc., how do you know what are the most effective tools and am I duplicating efforts? Therefore, always create a security awareness dashboard to gain an overall security stance inside and outside of the organization. The Security Awareness Dashboard differs from the next Dashboard on the list in that it is concentrated on the edge, cloud and internal tools specifically used to identify malicious data attempting or successfully traversing the infrastructure and how well the tools are configured to thwart such malicious traffic.
2. Situational Awareness Dashboard – Your SIEM collects information that is used to alert you in real and near-real-time of any anomalies in your system. With proper tuning, you are aware of your environment and you can quickly identify high impact systems that are talking out to known bad sites or malicious sites attempting to talk to your systems. This takes some planning in defining those systems. Your AD servers are not necessarily the only high impact systems. Consider defining applications in the DMZ, especially those having to connect back to databases in your protected zones. Those are usually prime devices that bad actors target. The Situational Awareness dashboard benefits the Systems, Network and the Security team as it uses information from cloud services logs, Geo-location information, Anonymous Proxies, Comment Spam IPs, Malicious IPs, Phishing URLs, trusted Scanners, IPS/IDS, TOR IPs, Untrusted BOTS, to name a few.
3. Systems Awareness Dashboard – those on the systems engineering side of the organization must rely on multiple areas to troubleshoot issues related to both the Linux and Windows environments. Much of the logs that are collected come from DC data sources, therefore, it is not coming directly from the source and do not expect that it should unless the source is a high-impact system. What I am stating is that it is not always necessary to collect logs from every single data source in the environment. One of the areas that I do recommend collecting logs and is sometimes ignored is the Storage infrastructure. This environment will help to quickly identify issues that can cause major failures in the server environment. Your SIEM should be looking at health information and providing alarms to identify issues within the Systems environment.
4. Network Awareness Dashboards – Like the Systems and Security Awareness dashboards, your SIEM is the centralized location to collect logs to troubleshoot and assess the health of your Network environment. Although most environments differ in what they deem network vs systems vs security devices, and we sometimes see an overlap of views because of this, it does not hurt to have multiple eyes on events coming out of this environment. Your IPS/IDS, Firewall, Network gateways, Routers, VPN gateways, etc., should be identified and you should have a central place to view the health and effectiveness of your edge devices.
5. Correlation Dashboard – Your Correlation Engine is one of the most important aspect of your SIEM environment. This is a required Dashboard that should be viewed daily. This is your real-time threat detection engine that will identify patterns based on risk scores and historical data. This is one of the most overlooked and most helpful section of the SIEM and can be very useful if tuned properly. Last, but not least;
6. Alarms and Watchlists – While not a dashboard per-se, configuring alarms is easy to do if you are presented with the correct information. If your environment is not properly tuned to reduce false positives/negative, your Alarms may be useless. You may also suffer from infobesity due to configuring too many alarms for alerts that may mean little to your daily management of the environment; which leads to ignoring critical issues when they do come up.
The dashboards mentioned above should all have a risk analysis component to them. You should know how well your systems are working to protect your infrastructure. Am I healthy? If my risk level is constantly sitting at the medium level and above, is it due to lack of tuning or is something really affecting my environment.
Finally, you do not have to parse EVERY collected log. Yes, from an audit perspective, it may be important to see that TTY0 log which presents no meaningful information; if that is the case, save processing power by sending that to your Log Manager and don’t overwhelm the parsing engine with non-sensical data. Additionally, avoid writing a significant number of custom parsers. In my experience, if your SIEM does not provide parsers to manage known technologies, it is a glorified log aggregator and not a SIEM. Your NOC will thank you!
Happy hunting!