2. Roundtable Participants
Bill Sieglein
President, CSO Breakfast Club
Dr. Anton Chuvakin
Author/Blog @ Security Warrior
Tim Mather CISSP, CISM
I4, former Chief Security Strategist at RSA,
former CSO Symantec
Randolph Barr, CISSP
CSO Qualys, former CSO at WebEx Comm.
Jamie Sanbower, CISSP
Cyber Security Director @ Force3
Scott Gordon CISSP
Vice President, AccelOps
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 2
3. Ask the Experts:
What is a SIEM? (rhetorical)
A solution that aggregates,
normalizes, filters, correlates
and manages security and other
operational event / log data to
monitor, alert, report, analyze
and manage security and
compliance-relevant information.
Send us your questions…
CHAT to moderators
Tweet Top10SIEMbpract
Email siemtop10@accelops.net
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 3
4. Ask the Experts:
Monitoring and Reporting
Requirements
Establish key monitoring and
reporting requirements prior to
deployment, including objective,
targets, compliance controls,
implementation and workflow.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 4
5. Ask the Experts:
Infrastructure audit activations
Determine the scope of
implementation, infrastructure
audit targets, necessary
credentials and verbosity,
activation phases and activation.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 5
6. Ask the Experts:
Audit data requirements
Identify and assure adherence to
audit data requirements
including accessibility, integrity,
retention, evidentiary requisites,
disposal and storage
considerations.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 6
7. Ask the Experts:
Access Controls
Monitor, respond to and report
on key status, violations and
anomalous access to critical
resources.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 7
8. Ask the Experts:
Perimeter Defenses
Monitor, respond to and report
on key status, configuration
changes, violations/attacks and
anomalous activity associated
with perimeter defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 8
9. Ask the Experts:
Network and host defenses
Monitor, respond to and report
on key status, configuration
changes, violations/attacks and
anomalous activity associated
with internal network and host
defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 9
10. Ask the Experts:
Network and system resource
integrity
Monitor, respond to and report
on key status, configuration
changes, patches,
vulnerabilities, threats and
anomalous activity affecting
network and system resources.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 10
11. Ask the Experts:
Malware Control
Monitor, respond to and report
on key status, threats, issues,
violations and activity
supporting malware controls.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 11
12. Ask the Experts:
Access management and
acceptable use
Monitor, respond to and report
on key status, configuration
changes, violations and
anomalous activity affecting
access management, user
management and acceptable use
of resources
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 12
13. Ask the Experts:
Application defenses
Monitor, respond to and report
on key status, configuration
changes, violations and
anomalous activity with regard
to web, database and other
application defenses.
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 13
14. Webcast Sponsor:
Challenges Integrated Data Center Monitoring
Complex Threats
and Environment
Monitoring, Search
& Reporting Scope
Implementation and
Scale Difficulty
Single pane of glass – Intelligence at your fingertips
Timely & Extensive End-to-end visibility – service, performance, availability, security,
Device Support change and compliance management
SOC/NOC convergence – extensive operational visibility
IT Service Efficiency – proactive monitoring, expedited root-cause analysis,
Awareness & Priority flexible search/reporting
Value – easy to use, implement and scale with rich feature set
Budget for Isolated Virtual Appliance or SaaS – out of the box use and readily scale
Security Tools
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 14
15. Ask the Experts:
In Conclusion
Map your requirements; output, audience, functional
Scope implementation; size, deployment, activation
Determine operating norms; what will you do with the
information, incident workflow, escalation…
One size does not fit all; dovetail your infosec policy with
best practices that works best for your organization
For more detailed and on-going contribution to SIEM
best practices visit: www.accelops.net.SIEMtop10.php
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 15
16. Ask the Experts:
For a more extensive, on-going set of Top 10 SIEM Best
Practices visit: WWW.ACCELOPS.NET/SIEMtop10.php
Released under a Creative Commons 3.0 Attribution
license: http://creativecommons.org/licenses/by/3.0/
Thanks to content contribution from:
Scott Gordon CISSP Randolph Barr, CISSP
Dr. Anton Chuvakin Jamie Sanbower, CISSP
Tim Mather CISSP, CISM Bill Sieglein CISSP
SANS.org in reference to…
Top Cyber Security Risks
20 Critical Security Controls
April Russo (number graphics)
(c) 2010 AccelOps- Putting the Top 10 SIEM Best Practices To Work 09.02.10 16