In the previous article in this series, we looked at how to go about selecting a security information and event management (SIEM) tool. We explored parameters such as device support, integration, group support, reporting, and so on. Once you select the SIEM tool most suited to your organization’s security profile, the next step is to make good on your investment.
Here are six tips for SIEM tool implementation aimed at improving efficiency and ensuring hassle-free operation, while avoiding pitfalls commonly encountered in such projects.
1. Provisioning for disk space and archival
Depending on your requirements, you will need to maintain logs that your SIEM tool aggregates and generates for a specific period of time. It is a good idea to ensure that you have adequate disk space available for your online logs (live) as well as archival space (such as tape drives), at the time of implementing your SIEM tool. This will ensure that events are retained as per regulatory and standards requirements as well as specific agreements with customers.
Ideally, your SIEM tool should be able to store logs online for up to 60 days for analysis and have up to one year of archival space available. Having events/logs online for a longer duration may have adverse impact on the SIEM tool’s performance and a lower duration may result in frequent requests for restoration from archives.
Eventually, the number of devices will also play a part in determining this parameter. At Genpact, the SIEM tool has around 600 GB of online disk space available as well as 3 TB for archival.
2. BCP setup
Plan to have BCP in place, preferably from your primary setup, to ensure the SIEM tool is continuously monitoring your network. This helps in retaining the logs for investigation and analysis even in a situation where the primary site itself is unavailable.
Sometimes business/customer requirements will also determine the up-time considerations for your SIEM tool. Disk space considerations need not be replicated at full capacity. Where the primary site could be furnished with 60 days worth of disk space, the BCP site need have only a week to 10 days’ worth – sufficient until the primary site is operational again.
3. Number of SIEM servers
While implementing an SIEM tool, try to consolidate the number of SIEM servers to a minimum. For instance, instead of having 10 configuration agent servers configured with low-end hardware, your SIEM tool’s agent machines could be consolidated to five configuration agent servers with high-end hardware. This provides better manageability and convenience in maintenance, while reducing overhead costs and capital expenditure.
Planning to consolidate at a later stage could lead to downtime and the necessity of reconfiguration, both at the device level and the agent level. Such infrastructure considerations, based on the number of devices being monitored, are something that your vendor should be able to help you out with.
4. Access to log files/database
From the get-go, it is a good idea to put in restricted access to log files and database files stored by the SIEM tool at the back end, which will discourage tampering of logs. Log files should be encrypted whenever possible. Many SIEM tools are equipped with encryption capabilities, although in some cases this might come at an additional cost. If your SIEM does not support encryption, you could instead consider a commercial, off-the-shelf solution for encryption, or develop a homegrown solution to address this issue.
5. Define criteria for adding devices
Define the criteria for adding devices that will be monitored by the SIEM tool. This will help in avoiding unwanted alerts and also ensure optimal utilization of licenses if the solution follows the license-per-device model. For instance, adding access layer switches (L2 switches) may not make much sense; the license could instead be utilized for more critical devices.
6. Define log settings for devices/servers
During implementation, define the settings for every category of device and server that the SIEM tool will be monitoring. These standardized settings should be updated in the device/server standard build documents as well, so that any new device or server added to the infrastructure will not miss out on integration with the SIEM tool and will conform to the standards by having the required logging enabled.
Our final article in this series will look at using and managing SIEM tools in your organization. Stay tuned.
About the author: Satish Jagu is the senior manager for corporate information security at Genpact. With more than 12 years of professional experience in IT, Jagu has expertise in security, network and system administration on UNIX/Windows platforms, security systems and Internetworking devices. He has TCP/IP network experience in design, in addition to implementation of Internet and Intranet services. Jagu has worked on ISO 27001 implementation and certification projects, as well as SAS 70 and SoX IT controls.
|(As told to Varun Haran.)|