As a part of our SIEM Best Practices Series, today we look at how you can work towards effectively measuring SIEM performance and assessing coverage of your data. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
It’s not uncommon to see Security Monitoring programs where the completeness of the log sources is not a metric to measure accuracy and promptness of the system. Such behavior may lead to negligence, which in the case of threat response management, can turn can be catastrophic. Log Management is a critical activity and should be benchmarked and measured for performance frequently.
If log sources as missing, we cannot confirm that a particular event or compromise didn’t happen, so from a forensic investigation point of view not having the logs from all the necessary devices might invalidate a hypothesis. And again, we also cannot forget about regulatory compliance – auditors will mark this as a finding.
The right way to do this is by collecting the CMDB or database of assets from every log technology or log source being collected. A dashboard can then be created which analyses and alerts user about the last time logs were detected from every single one of the devices, per log source. This information should be available in real-time and when a given log source is not reporting any events in a predefined period, an incident should be raised for an analyst to investigate.
That being said, all log sources need do not report in the same amount of time. Thus, we recommend creating a dynamic alert that would only notice if the event count is significantly different from what was reported the previous week. We, at, Advoqt have used statistical analysis to solve this issue and avoid false positives for these types of alerts.
Such an alignment is an ongoing process that will reap results in the medium and long term. But, we’re just scratching the surface There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Which is why we recently released our SIEM Best Practices White Paper to allow you to set-up/revise your SIEM System. Click here to access your free copy.
Solutions for a fast-paced and large enterprise may need tailored consultation and improvisation, beyond what can be conveyed in a white-paper. We invite you to get in touch with us to know how we can help maximize the benefits of your security efforts.