Tuesday, August 17, 2010

New SIEM Whitepaper on Use Cases In-Depth OUT!

A lot of people talk about “SIEM use cases” (example), but few describe them in depth, complete with instructions on how imageto actually solve the problems and actually do each use case, using a particular SIEM tool. Here at Security Warrior Consulting, we are all about DOING, not just TALKING :-)

With this introduction, I am presenting a new detailed SIEM whitepaper that I wrote for the RSA enVision team.  “This paper will help jumpstart SIEM use process and highlight common SIEM usage scenarios for organizations of all sizes. It will also explain how to operationalize the SIEM tool and utilize it for many security use cases and scenarios, from Web site threats to security incident response. Specific examples from RSA’s enVision platform are used to illustrate the concepts in the paper.”
Here is an excerpt from one  use case from the paper:
Comprehensive firewall monitoring
(security + network)

Since the early days of SIEM technology, firewall log data
has been considered as one of the most useful and
commonly collected information sources.
Apart from allowing and denying connections to and from
the network, firewalls allow recording or logging of every
single connection denied or allowed by the firewall. An
example would be connections from the outside world to
the DMZ Web server, or connections by users inside the
company to their favorite social media Web site.
Analysis of such logs is extremely useful for security,
compliance and even operational purposes such as
network management, bandwidth management, etc.
For example, on the compliance side, PCI DSS, HIPAA,
NERC/FERC all have firewall logging implications. Firewall
logs are also extremely useful for incident response and
forensics since they can help identify the connectivity
pattern and serve as “poor man netflow.” On top of this,
firewall logs can be used to assess the health of the
firewall itself and to optimize the rule set performance.

Collection: comprehensive firewall log collection is
mandatory for this use case, and it is important to
remember that firewalls can record both failed and
successful connections through the firewall – both
types are essential for SIEM.
Grab the paper here [PDF]!

Another fun long whitepaper is coming soon … and it will be just as fun.

UPDATE (09/23/2013 [!]): the paper is again available here [PDF] with the following disclaimer, mandated and provided by RSA as a condition for paper access:

This document is provided for historical reference only; since the publication of this document by RSA, they have come out with RSA Security Analytics which provides centralized security monitoring by combining the collection of logs/events and network packets fused with threat intelligence.

Possibly related posts:
Enhanced by Zemanta

Dr Anton Chuvakin