Just a quick note on Security Incident and Event Management or as it is commonly abbreviated as SIEM, SIM, or SEM. Since i had the opportunity of overseeing the implementation and day-to-day usage of SIEM in our company, i would like to share few tips that have helped me in our implementation.
- Tip Number 1
Evaluate different solutions before you decide to buy. Many vendors claim their solutions do wonderful things but don’t buy in until you evaluate them in your own environment.
- Tip Number 2
Implement SIEM in smaller chunks. If you have any sizable IT infrastructure, putting an SIEM solution is not an easy task. Therefore i recommend breaking up the devices and software that you want to collect logs into smaller sizes. For example in our case i had to break up all SQL servers together so that i can work with DB administrators and network devices together and so on.
- Tip Number 3
Involve your administrators. In order to collect the right information from your IT infrastructure you need to involve the administrators of various areas. They are well of the systems they administer and know which logs are important and which are not.
- Tip Number 4
Fine-tune your rules. If you really want to get the value of SIEM, then fine-tuning your rule set according to your own environment is a must and not just relying on out of the box rules. It is an extensive task at the beginning but one that has to be done and will help you reducing your false positives.
- Tip Number 5
Automate as much as possible. From my experience, SIEM solutions produce lots of alerts and reports. Unless you will have a dedicated administrator just for watching these alerts, you need to use the auto-notification features of the system such as email, sms, dashboard alerts to reduce the effort of managing the system.