You got a SIEM! Now what?
Before we go any further, a SIEM (Security Information and Event Management) is a device or software that collects logs from various sources and allows you to query them. Different software or devices focus on different ways to do this. Some require you to create your own reports and are extremely powerful, others have almost limitless canned reports and don’t require you to know much more than a web interface to interact with it. In both cases, you suddenly have access to a ton of data that allows you to correlate your firewall logs, server logs, and potentially any other log in your environment. This information can allow you to track down attackers and see odd behavior in your network.
All of this sounds great! The only caveat is that you are literally pulling in hundreds of logs a minute. I asked one vendor how they set up a new client on their SIEM. Their response was to alert off everything and then filter out logs as you realize they are not relevant. While this seems like a great idea when you are getting 1,000 or more logs an hour, you quickly realize that you either need to hire a bunch of security analysts, or you need to come up with a new plan.
This is honestly why most SIEM deployments turn into just a checkbox for compliance and are never actually looked at. Proper configuration and fine tuning is critical for a workable solution.
This blog post isn’t long enough to go over everything you should pay attention to, and in reality, each organization is different. But I will try to make suggestions on the types of events to monitor.
Each device in your organization should have failed login logs. You should monitor those. If you are running Active Directory, then your domain will be pretty easy to monitor, but also review logons for your firewall and switches. It is also good to monitor for successful logins. You might not want to alert off of them, but you will want to know if someone fails 50 times and then is able to log in. Speaking of your firewall logs, it is important to see port scans on your firewall. Many SIEM tools will allow you to graphically display what region they are originating from. Finally look at your organization as a whole. What data are you most concerned about? What actions on those machines would most concern you? You might want to consider turning up the logging on those machines and focus on logs that would indicate those actions are happening on that machine.
You cannot monitor everything in your organization. What you can do is use the time you have to monitor wisely. Instead of trying to find a needle in a haystack, reduce the size of the haystack to make the needle more easily found. If you are considering a SIEM solution, talk with Thrive, we can install and monitor it for you. That way we only contact you when there is an issue and you can focus on doing other things with your time.