SIEM deployment case study shows patience is required

Williams Lea’s SIEM is already helping reduce manual log reviews. But there’s still a lot of work to be done before the SIEM can be fully deployed.

There is a lot of pressure on organisations these days to make better use of their system logs. Logs help ward off dangers by offering real-time alerts, they provide system troubleshooting or forensic evidence after a security breach, and many compliance standards insist that logs be kept and managed.

If you just put in a SIEM and let it run, you can run out of disk space very quickly if you haven’t tuned the devices on the network. It takes a lot of time to do that.

Andrew Allison,
Williams Lea

Yet many organisations fail to use logs effectively. As the recently published Verizon Data Breach Investigations Report showed, only 8% of breaches are discovered by the victim organisation itself, an indicator of missed opportunities to more promptly and thoroughly analyse log data to identify malicious activity on their networks.

Why is this happening? The short answer is log management is hard to do, according to Andrew Allison, information security manager at business process outsourcing company Williams Lea. Employing a security information and event management (SIEM) system can help immensely, but it can take a lot of time and effort to get the SIEM working effectively, Allison said.

Early stages of SIEM implementation
Allison joined London-based Williams Lea nine months ago. As the information security manager, Allison immediately set about choosing a security and incident event management (SIEM) system to help take control of log management. He took an objective view of the full range of products and services available across the market with a goal of selecting the best-in-class based on defined requirements. After a four-month process, he selected LogRhythm because the company bundled in a file integrity module (FIM) without extra charge. (The FIM helps ensure configuration files are protected and files at rest are not tampered with.)

The SIEM deployment began in December, but full implementation won’t be complete for several months. “People think that by installing SIEM it will fix everything, but no, there is a lot of work involved to ensure it works effectively,” Allison said.

Eye On SIEM Systems:

Editor’s Note: This news story is part of's "Eye On" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of March the series examined SIEM systems.

His company’s network supports around 2,500 users, many of whom are often out of the office or working remotely. The business also has a steady staff turnover since contractors are hired for certain projects and work in offices throughout the UK. This means one of Allison’s biggest challenges is managing privileges and access rights of employees and making sure rights are withdrawn when people leave the company.

In the past, this was accomplished by going through the logs manually. Logs were written first to local and then to remote back-end drives where they were kept mainly for archiving purposes.

“We’d usually only look at the logs when there was an issue. And we would also take random samples to check for failed logins on the FTP servers, for example,” Allison said.

Benefits from the SIEM
Williams Lea’s SIEM system is already helping alleviate some of the manual log review work by generating reports on unused Active Directory accounts and failed login events. It has also helped to take control of users with admin rights, and to address the issue of generic login credentials.

However, there’s a long way to go before the organisation can get full value from the SIEM, Allison said. Even with a top-of-the-range LogRhythm appliance with 3.99 terabytes of disk space, and another for failover, he said the systems could soon be overwhelmed if each network device is not tuned properly. For example, his Juniper edge firewalls are currently clocking 80 events every second. Allison said that with better configuration, that figure can be reduced. Another perennial problem is developers who set devices to debug mode and then fail to switch them back, leaving them to spew out unneeded event logs.

“I used another SIEM product at my last company and we had the same issue,” Allison said. “If you just put in a SIEM and let it run, you can run out of disk space very quickly if you haven’t tuned the devices on the network. It takes a lot of time to do that. We installed our SIEM three months ago and we are still only a third of the way through the process.”

Future SIEM plans
Once that process is complete, there will still be other jobs to do. For example, the company’s intrusion prevention system (IPS) logs do not yet feed into the SIEM, although that’s part of the long-term plan.

“We can’t handle that at the moment because of the sheer amount of data the SIEM logs,” Allison said. “We have one guy who spends four or five hours a week tuning and tweaking the SIEM, getting rid of false positives.”

Similarly, when fully configured, the SIEM will be able to create alerts by sending SMS messages or emails to the appropriate person as soon as a problem occurs. But as Allison said, every alert condition first has to be defined and documented.

“You have to go through all the rules and make decisions about what you do and don’t want to trigger an event, and that takes a lot of time,” he said. “Then each rule has to be written into your policy, with the reasons for doing it, so someone else can see why a decision was made, especially if you get a breach.”

Allison has no doubt that once all this essential groundwork is done, the job of managing the network will be considerably easier and less labour-intensive. The process of base lining the network using the SIEM system has also been very revealing, he said, and it is helping to throttle back the number of events generated by each device without damaging security.

In addition, the SIEM will help the company demonstrate compliance with a range of standards, including PCI DSS and ISO 27001. However, as Allison said, compliance should be a natural by-product of adopting security best practices.

“Any good information security person will want to know what’s going on in their network,” he said. “SIEM can help provide the visibility you need. It is a very powerful and useful tool, but it’s not a silver bullet. You still need to do the work.”

Read more on Network security management

Data Center
Data Management