Friday, May 28, 2010

Recent SIEM/Log Management Webcast Q&A

A few weeks ago week I did this fun webcast with NitroSecurity (recording) on Log Management and SIEM; here are some belated Q&A we got there:

 

Q1: Is it Security Incident Event Management or Security Information and Event Mgmt?

A1: SIEM stands for Security Information and Event Management. But please shoot whatever market analyst who first mistook ‘information’ for ‘incident’

 

Q2: What is the level of personnel resources are needed to maintain a SIEM?

A2: This is what is known as "one million dollar question” :-) First, it depends on your SIEM “use cases” – essentially on what you plan to accomplish using a SIEM. You can read “SIEM Bloggables” to see some of the high-level usage scenarios. For example, you might acquire and use a SIEM for reviewing compliance reports once a month. In this case, your personnel requirement will probably not exceed a few hours of 1 FTE.  On the other extreme, you might be building a Security Operations Center (SOC) for a global enterprise based on a SIEM. In this case, you might be looking at dozens of people of varying skill levels, from junior analyst to senior SOC managers.

 

Q3: Please explain chain of custody.

A3: Wikipedia’s definition is just fine, see: http://en.wikipedia.org/wiki/Chain_of_custody. In brief: “Chain of custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.”

 

Q4: How long does PCI DSS require logs to be kept?

A4: As per PCI DSS v 1.2.1 Requirement 10.7: “Retain audit trail history [A.C. – i.e. logs] for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).” A typical SIEM or log management tool can hold 90 days of data with up to 1 year available in file backups.

 

Q5: Does adding context/content sources slow the SIEM down?

A5: It depends on the SIEM. Some of the commercial products are slow even without anything being added to them :-) Others can handle extreme event loads. So, the only way to know for sure is to use it in your environment, with your log data and with your context data (assets, vulnerabilities, user roles, etc).

 

BTW, slides similar to those I used at the webinar are posted at Slideshare and embedded below:




Enjoy!

Possibly related posts:

Reblog this post [with Zemanta]

Dr Anton Chuvakin