SIEM: Moving Beyond Compliance

Dr. Anton Chuvakin recently wrote a white paper for RSA entitled, SIEM: Moving Beyond Compliance. While I am no fan of RSA’s Envision product (Cymbel partners with AccelOps), the white paper is quite good. As its title says, it discusses “use cases” for SIEM beyond the basic compliance requirements that drive a lot of SIEM projects. Here is the list with my comments:

  • Server user activity monitoring – It’s not always possible to collect the logs from all servers. Sometimes a network-based product like PacketMotion is needed to complement log collection.
  • Tracking user actions across disparate systems – Same comments as above.
  • Comprehensive firewall monitoring – Key capability needed by the SIEM is Active Directory integration for mapping IP addresses to users and generating reports by AD groups.
  • Malware protection – I think this would be better termed “Malware behavior detection” since a SIEM cannot actually detect malware itself as an Intrusion Protection/Detection System would. Ideally, the SIEM should provide a behavior anomaly detection capability.
  • Web server attack detection – A SIEM can provide “detection” capabilities to complement the “protection” capabilities of a Web Application Firewall (Cymbel partners with Barracuda) whose logs also ought to be captured and correlated.
  • Incident response enablement – In addition to SIEM, Cymbel recommends a Full Packet Capture product be deployed. Cymbel partners with Solera Networks.

Anton closes with the three “worst practices” he has seen. Based on my six years of SIEM experience, I agree:

  • Storing logs for too short a time
  • Trying to prioritize logs and store “just what’s important”
  • Trying to use advanced SIEM features before establishing success with basic log collection and reporting

About Cymbel

Specialists in information security. Helping organizations secure their networks and mitigate the risks of modern threats.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.