Security Information & Event Management Blog | SIEM

Log Management Lesson: Confessions of a Security Systems Admin

“We thought we could handle all of the user’s problems Joe the security systems adminwithout analyzing every single log message. Now I'm a news headline!”

“What in the world just happened? Last week all was good. My job was going great, I never thought I’d be sitting here worrying whether or not I’d get fired for making headlines, but here it is staring right through me from my monitor – my company just acknowledged a massive security breach.

“Here’s the logic my team and I have lived by for years, and it seemed very reasonable, until today:

  1. I’m in no hurry and what’s all this about being proactive with IT security. If there’s a problem my team and I will get to it, like we do for all our tickets.
  2. You want us to look at all this log data and do what? Find some clue amongst all these messages to prevent hacking? How can we possibly ID these relationships, we don’t even know where the data is?  Sheesh, there are so many messages and most of them are meaningless.
  3. We don’t have time to be looking through logs and what on earth should we be looking for? The users will call us if there is a problem.
  4. Security breach? Well some folks believe that we have had them on occasion but I think it’s just user error.
  5. Hey, we’re only human. We are bound to have some security violations. It happens, but no real damage is done. Well, none that I am aware of…
  6. My users? Profile them??? Why? I know them, they wouldn’t breach security!
  7. Our file systems are fine. Each person with a laptop makes sure that their file systems are good as gold!
  8. Well, we do investigate incidents when they are reported. We have to, it’s corporate policy; plus, how else would they get fixed? I have to admit that some of these incidents seem to come and go and they are basically meaningless. It’s a good thing that we don’t spend too much time chasing them all down.
  9. Come on, of course we don’t keep track of every invalid login. We can’t track and worry about every minor keystroke error.
  10. Compliance? What does that mean? Absolutely, we are in compliance, here’s the checklist. Of course, this is just a checklist of suggested activity anyway, isn’t it? Plus, we do backup of the data periodically.
  11. Intrusion? Attack? Come on! That’s all newspaper fodder. It couldn’t really happen to me...

“I can’t believe this is happening… Why didn’t I look at this better before? What am I going to do if I lose my job to a security breach? I won’t be able to get another job anywhere!!!”
– Joe at Somewhere IT

Of course, this sounds a little foolish and hard to believe; at least I hope it sounds foolish to you.  Sure, it’s an exaggeration, but there is a reality here. Without a proactive approach to SIEM, you could be in Joe’s shoes. A best-practice, proactive approach to locking down your systems and taking compliance more seriously is habitual. It doesn’t happen overnight, but with the right people, process and technologies in place, you can keep out of the headlines for the wrong reasons and be a hero to your organization for the right ones.

Seven Things to be Mindful of for SIEM

Joe and his team can be turned around and so that you have the right people in place, and chances are you have good processes for securing your organization. As for your technology, here are six things to keep in mind when looking for the right SIEM solution:

  • Message log collection today is becoming more standard across both large and small enterprises. Make sure your SIEM solution can collect data from any platform and archive years of it with encryption.
  • Where is your message log data? You can save countless man-hours by having a system of record for all message log data where any authorized analyst can retrieve it for investigation and forensics.
  • Correlation is critical. Message log data in and of itself has little meaning but with an accurate correlation engine you can unearth patterns of message logs that indicate breaches and compliance violations.
  • Your correlation engine should have some automated action-by-event alert mechanism such as the creation of a help desk ticket. This will create a more proactive approach to unearth threats before they happen.
  • Your SIEM system should have and easy-to-configure rules-based methodology that allows you to act on the most relevant messages.
  • In addition to being a central repository for message logs, your SIEM system should facilitate compliance requirements for all system-wide transactions, including database and Internet access. With severe penalties levied by regulatory agencies, having a single application is critical to maintain overall organization compliance for PCI DSS, HIPAA, SOX, FISMA, GLBA, NCUA, NERC and many other mandates.
  • Visibility is king. Having a single solution for message log data and correlation translates to a single system-wide view of security and compliance presented in a single console. Your system should be able to collect data from any device that sends a log, and also across both distributed and mainframe platforms.

Created on 10/05/11 at 22:19:56

With external and internal attacks becoming more prevalent, the chance of you becoming a headline increases daily. If you wait for a user to notify you of a problem, it’s too late.  And what do you do about the volumes of data? The one thing that is very accurate from Joe’s message above is: “There are so many messages and most of them are meaningless.”  If he only knew which ones, he wouldn’t be sitting there agonizing over what’s going to happen to him next.

I wonder in today’s complex IT environments, with the multitude of vendor devices and applications to support, how a company can survive (not just get by!) without a SIEM solution that has a powerful correlation engine. How else can you separate the problem needle from the haystack of noise? Is that a luxury or a requirement? We know how Joe feels today, but I’ll let you decide for yourself.

0 replies