As a part of our SIEM Best Practices Series, today we look at how you can work towards building a strong infrastructure for documenting various forms of data. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
Better safe than sorry
Technology professionals know that strong documentation pays off when it comes to troubleshooting. It doesn’t matter which technology you are using…. eventually, something will fail and good documentation will save you undue pain. The more the documentation, the better. At a minimum, you need the following documents:
- Security monitoring policy, list of requirements, roles, and responsibilities
- Inventory of all the endpoints that form part of the infrastructure, hardware capabilities and role in the architecture
- Inventory of all the log sources, technical contact and collection method
- Indexes, buckets or data storage description
- Data library definitions (per each database identify what kind of data is included)
- Use cases and alerts generated by the SIEM platform
- Implementation diagrams and data flow diagrams
Ignoring the faulty tire
Our consulting team is often called in to scope out Security Monitoring projects, however, once we arrive and request the above assets, in most cases the documents are either not available or incomplete. In such an instance, we recommend a pause, followed with an assessment of what’s there today and creating a comprehensive set of documents. Kicking off a Security Monitoring initiative without good documentation is like going on a road trip with faulty tires – sooner or later, you’ll be stuck on the side of the road and you’ll end up spending even more time and money than was necessary at the onset.
There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Our SIEM Best Practices White Paper gives you a clear roadmap. We invite you to get in touch with us to learn how we can help maximize the return on investment of your security program.