Lots of organizations are deploying Security Information and Event Management (SIEM) systems either to do their due diligence or because it’s part of a regulatory requirement. One of the misconceptions that typically is derived from marketing material is that you plug it in, turn it on, and voila, instant security. This couldn’t be further from the truth.
I look at SIEM like a meta-IDS (Intrusion Detection System). It is attempting to find those needles in the haystack. Most of the deployments I’ve worked on receive millions of events per day. Many of the events are informational. Sometimes it is mandatory to send those events to the SIEM because of regulatory requirements, so my goal is always to maximize our resources and make the best of the situation. When you’re getting millions of firewall events per day, for example, you can either have them take up space on your SAN uselessly or you can try to detect misuse with them.
The first thing you need to do is identify which systems will be forwarding events, typically all switches, routers, servers, application, and security systems (Network/Host Intrusion Prevention, Firewalls, anti-malware, etc). The number of devices you forward events from to the SIEM will depend on how much money you are willing to spend on event collectors that receive and normalize events, and the storage necessary to keep all of this data around.
Deciding what events to send to your SIEM is often challenging. The system you are investigating is going to have two capacity limits to be aware of: [Read more...]