You got a SIEM! Now what?
Before we go any further, a SIEM (Security Information and Event Management) is a device or software that collects logs from various sources and allows you to query them. Different software or devices focus on different ways to do this. Some require you to create your own reports and are extremely powerful, others have almost limitless canned reports and don’t require you to know much more than a web interface to interact with it. In both cases, you suddenly have access to a ton of data that allows you to correlate your firewall logs, server logs, and potentially any other log in your environment. This information can allow you to track down attackers and see odd behavior in your network.
All of this sounds great! The only caveat is that you are literally pulling in hundreds of logs a minute. I asked one vendor how they set up a new client on their SIEM. Their response was to alert off everything and then filter out logs as you realize they are not relevant. While this seems like a great idea when you are getting 1,000 or more logs an hour, you quickly realize that you either need to hire a bunch of security analysts, or you need to come up with a new plan.
This is honestly why most SIEM deployments turn into just a checkbox for compliance and are never actually looked at. Proper configuration and fine tuning is critical for a workable solution.
This blog post isn’t long enough to go over everything you should pay attention to, and in reality, each organization is different. But I will try to make suggestions on the types of events to monitor.
Each device in your organization should have failed login logs. You should monitor those. If you are running Active Directory, then your domain will be pretty easy to monitor, but also review logons for your firewall and switches. It is also good to monitor for successful logins. You might not want to alert off of them, but you will want to know if someone fails 50 times and then is able to log in. Speaking of your firewall logs, it is important to see port scans on your firewall. Many SIEM tools will allow you to graphically displ