Operationalizing Information Security: Putting the Top 10 SIEM Best Practices to Work

Operationizing Information Security - Putting the Top 10 SIEM Best Practices To Work

Processes, Metrics and Technologies

By Scott Gordon

Copyright 2010 Scott Gordon

ISBN 978-0-615-43366-0

Smashwords Edition

~~~~

Introduction

"Ask any security practitioner about their holy grail and the answer is twofold: They want one alert specifying exactly what is broken, on just the relevant events, with the ability to learn the extent of the damage. They need to pare down billions of events into actionable information. Second, they want to make the auditor go away as quickly and painlessly as possible, which requires them to streamline both the preparation and presentation aspects of the audit process. SIEM and Log Management tools have emerged to address these needs and continue to generate a tremendous amount of interest in the market, given the compelling use cases for the technologies.

Michael Rothman, Security Industry Analyst and President of Securosis ¹

The use of Security Information and Event Management (SIEM ²) as part of an integrated security management program is an information security best practice. The SIEM market category, beyond basic event logging, has been around since circa 1990’s. Whether referring to security event management, security information management, log management systems or more modern combined industry solutions, SIEM user requirements and operational considerations have evolved. How can one ensure successful SIEM implementation and on-going improvement, while at the same time further optimize resources and accelerate return on investment?

This e-book provides guidance to operationalize information security and put the top 10 SIEM best practices to work. Rather than an exhaustive examination of SIEM, the purpose is to offer pertinent insights and details with regards to how IT organizations and information security professionals can gain more assured value from SIEM.

Whether seeking to streamline incident response, automate audit and compliance processes, better manage security and business risks, or build out your deployed SIEM - this e-book presents process, metrics and technology considerations relative to SIEM implementation and security operations.

Each of the ten chapters referenced in the Table of Contents below offers:

Overview and Highlight Processes: topic introduction, process considerations, exploring operational concerns, getting results, and avoiding common pitfalls

Recommended Metrics: the more popular SIEM dashboards, reports, alerting and related operational measurements to support security operations, incident response and compliance

Technology considerations: sources, controls and related SIEM functionality

Whether seeking to streamline incident response, automate audit and compliance processes, better manage security and business risks, or build out your deployed SIEM - this e-book presents process, metrics and technology considerations relative to SIEM implementation and security operations.

Table of Contents

Chapter 1 - What is a SIEM and What are the Top Ten SIEM Best Practices

Chapter 2 - SIEM Best Practice #1 – Monitoring and reporting requirements

Chapter 3 - SIEM Best Practice #2 – Deployment and infrastructure activation

Chapter 4 - SIEM Best Practice #3 – Compliance and audit data requirements

Chapter 5 - SIEM Best Practice #4 – Access controls

Chapter 6 - SIEM Best Practice #5 – Boundary defenses

Chapter 7 - SIEM Best Practice #6 – Network and system resource integrity

Chapter 8 - SIEM Best Practice #7 – Network and host defenses

Chapter 9 - SIEM Best Practice #8 – Malware control

Chapter 10 - SIEM Best Practice #9 – Application defenses

Chapter 11 - SIEM Best Practice #10 – Acceptable Use

Chapter 12 - Conclusion

Chapter 13 - Author, Acknowledgements, References, Use and Copyrights

Note 1 - Securosis, Understanding and Selecting SIEM and Log Management August, 2010, www.securiosis.com

Note 2 - Within this document, log management functionality and reference will be subsumed by the term SIEM.

~~~~

Chapter 1:

What is a