SIEM monitoring: best practices
Estimated reading time: 6 minutes
As the cybersecurity threat landscape becomes increasingly sophisticated, service providers, such as SOD, need to take additional precautions to protect their customers’ networks. An information management system and monitoring SIEM is an excellent choice in this respect.
This system, in fact, helps mitigate cybersecurity threats from two different angles, all from a single interface . The SIEM monitoring system collects information from multiple sources: network data, threat information feeds, compliance regulations, firewalls, etc. Next, uses that data to power features designed to help IT administrators respond to threat events in real time.
Advantages of SIEM monitoring
In contrast to individual security control systems such as asset management or network intrusion detection, SIEM allows you to dig deeper into security vulnerabilities by unifying information from various systems – even very and offering unprecedented visibility into events occurring in the system.
SIEM is not a threat detection system in and of itself, but enhances the security tools already in use by providing real-time insights to work from . In particular, SOD uses a Next Gen SIEM in a SOAR ( Security Orchestration, Automation and Response ) which also includes advanced behavioral analysis tools ( UEBA ).
If you put high-quality log files into a SIEM tool, you receive high-quality insights into network security . This information can help improve network security protocols.
Unfortunately, many administrators treat SIEM implementation as a solution to be set up and then forgotten. To experience the full benefits of managing information and security events , you need to implement a set of best practices to optimize your solution, starting with security logging.
The logs of a SIEM
How does security monitoring fit into SIEM implementation best practices ? If you look at the SIEM in its main components, it is a log management system .
All the information that a SIEM tool collects is in the form of logs, or records of events occurring within an organization’s IT infrastructure and network.
Examples of logs collected by SIEM include, but are not limited to: Firewalls, routers, wireless access points, vulnerability reports, partner information, antivirus and antimalware.
However, as SIEM tools have a very broad reach and constantly collect log data from all parts of the system, can be a bit complicated and impractical to implement . SIEM best practices help avoid pain points along the line of operation. This way you use SIEM as effectively as possible right from the start.
1. Start calmly
The most common mistake made in implementing SIEM monitoring is trying to do too much too soon . Before you even start looking for a SIEM solution, in fact, it is best to define the scope of your SIEM implementation and think about what you want SIEM to do for your network and infrastructure.
We start by isolating the objectives , taking stock of existing security protocols and brainstorming how these protocols fit into the future SIEM implementation. You can also segment anything you want to monitor into groups and define how you want to monitor them. This helps ensure that you have a clear plan for logging.
Once an initial planning has taken place, the SIEM system does not yet have to be implemented across the entire IT infrastructure. It is better to proceed piecemeal.
You should then test the SIEM monitoring solution on a small section of the system to see how it works. Only then are key security vulnerabilities identified that should be addressed immediately and proceed with implementation in subsequent segments.
Setting up SIEM monitoring step by step, rather than running everything right away, will help ensure that logging works in harmony with the rest of the IT section .
2. Think about the requirements
SIEM monitoring can help the company demonstrate compliance with security regulations and audits, but only by knowing what these standards are in advance . Before committing to a SIEM system, you create a list of HIPAA, GDPR, HITECH and any other IT regulations that you need to comply with. The list is then used to compare the required regulations with the solutions that are put into practice.
Not only does this narrow down the list of standards, it will force you to consider how much log data you actually need. Keeping the correct amount to be compliant, also aligns with best practices of SIEM logging and monitoring .
Obviously, the solutions and protocols to follow are not the same for everyone and need to be adapted according to the position of the individual company. For this particular aspect, SOD can help your company both in gathering the information necessary to identify which standards to follow, and in the standards verification once implemented.
3. Fix the correlations
SIEM correlation streamlines its implementation, allowing you to configure the system according to the specific needs of their customers. SIEM works by collecting data from multiple sources and then filtering, analyzing and correlating it to determine if it deserves to be reported as a security alert.
For this it is essential to correlate the rules and set alarm thresholds based on the type of data and their origin . It is important to remember, in fact, that SIEM is designed to find connections between events that would not otherwise be related to each other.
Setting up a SIEM monitoring system is a delicate but fundamental operation to improve the security system for a particular company.
4. Collect data efficiently
Through a SIEM monitoring system it is possible to collect such an amount of data that it could become complicated to manage. It becomes important to choose in a balanced way which data to use in order to optimize the right amount without losing the advantage of having the entire system under control .
Among the data that it is better not to leave out are: Successful permissions and failed attempts, changes to user privileges, application errors and performance problems, opt-in and in general all the actions made by users with administrative privileges.
The following are excluded: information whose collection is illegal, banking information or credit card data, encryption keys, passwords and personal data .
5. Have a plan in case of a detected threat
Choosing the right SIEM solution and employing logging best practices is only part of the job. You need to have an action plan in case of cyber threat .
For the company that relies on a MSSP as SOD, this means making sure that monitoring is only the first part of the service provided. Ideally, SIEM monitoring is the first piece of a well-designed SOAR that puts in place professional operators, alert notifications and a recovery plan in accordance with the type of data put at risk .
In this respect, the SOC as a Service we offer covers most of the eventualities.
Monitoring is a fundamental part of the corporate security system and a SIEM is one of the ways to put it into practice. However, we must not stop at the collection of information, we must know how to treat, enrich and analyze it.
SOD offers comprehensive services that implement SIEM monitoring systems. The implementation obviously implies a “calibration” of the systems and of the correlations between the data in order to always offer the most suitable solution.
If you would like more information about our products, do not hesitate to contact us, we will be happy to answer your questions.
- Hadoop Open Data Model: “open” data collection
- Pass the Ticket: how to mitigate it with a SOCaaS
- Use cases of a SOCaaS for companies part 2
- Use cases of a SOCaaS for companies part 1
- NIST Cybersecurity Framework
- “Left of boom” and “right of boom”: having a winning strategy
- Smishing: a fraud similar to phishing
- Network Traffic Analyzer: an extra gear for the Next Gen SIEM
- Backup as a Service (17)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (18)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (148)
- Web Hosting (15)
- Russia Takes Down REvil Ransomware Operation, Arrests Key Members January 14, 2022Timing of the move has evoked at least some skepticism from security experts about the country's true motives.
- The Cybersecurity Measures CTOs Are Actually Implementing January 14, 2022Companies look to multifactor authentication and identity and access management to block attacks, but hedge their bets with disaster recovery.
- Maryland Dept. of Health Responds to Ransomware Attack January 14, 2022An attack discovered on Dec. 4, 2021 forced the Maryland Department of Health to take some of its systems offline.
- White House Meets With Software Firms and Open Source Orgs on Security January 14, 2022The Log4j vulnerability is only the latest security flaw to have global impact, prompting the Biden administration and software developers to pledge to produce more secure software.
- What's Next for Patch Management: Automation January 14, 2022The next five years will bring the widespread use of hyperautomation in patch management. Part 3 of 3.
- BlueNoroff Threat Group Targets Cryptocurrency Startups January 13, 2022A series of attacks against small and medium-sized businesses has led to major cryptocurrency losses for the victims.
- Fighting Back Against Pegasus, Other Advanced Mobile Malware January 13, 2022Detecting infection traces from Pegasus and other APTs can be tricky, complicated by iOS and Android security features.
- How to Protect Your Phone from Pegasus and Other APTs January 13, 2022The good news is that you can take steps to avoid advanced persistent threats. The bad news is that it might cost you iMessage. And FaceTime.
- New Vulnerabilities Highlight Risks of Trust in Public Cloud January 13, 2022Major cloud providers are vulnerable to exploitation because a single flaw can be turned into a global attack using trusted core services.
- How Cybercriminals Are Cashing in on the Culture of 'Yes' January 13, 2022The reward is always front of mind, while the potential harm of giving out a phone number doesn't immediately reveal itself.
- Win32.MarsStealer Web Panel / Unauthenticated Remote Data Deletion January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_C.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Win32.MarsStealer Web Panel Vulnerability: Unauthenticated Remote Data Deletion Description: The Mars-Stealer web interface has a "Grab Rules" component area that lets a user specify which type of files to collect from […]
- Win32.MarsStealer Web Panel / Unauthenticated Remote Persistent XSS January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Win32.MarsStealer Web Panel Vulnerability: Unauthenticated Remote Persistent XSS Description: The Mars-Stealer web interface has a "Marker Rules" component area. Third-party attackers who can reach the Mars-Stealer server can send HTTP...
- Win32.MarsStealer Web Panel / Unauthenticated Remote Information Disclosure January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Win32.MarsStealer Web Panel Vulnerability: Unauthenticated Remote Information Disclosure Description: The malware web interface stores screen captures named "screenshot.jpg" in the panel directory, ZIP archived. Third-party attackers who...
- Ab Stealer Web Panel / Unauthenticated Remote Persistent XSS January 16, 2022Posted by malvuln on Jan 16Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/9e44c10307aa8194753896ecf8102167.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Ab Stealer Web Panel Vulnerability: Unauthenticated Remote Persistent XSS Description: The "Ab Stealer" web Panel By KingDomSc for "AbBuild v.1.0.exe" is used to browse victim information "Get All Victims Passwords, With...
- SEC Consult SA-20220113-0 :: Cleartext Storage of Phone Password in Cisco IP Phones January 14, 2022Posted by SEC Consult Vulnerability Lab, Research on Jan 14SEC Consult Vulnerability Lab Security Advisory < 20220113-0 > ======================================================================= title: Cleartext Storage of Phone Password product: Cisco IP Phone Series 78x1, 88x5, 88x1, 7832, 8832, 8821 and 3905 vulnerable version: Firmware
- 🐞 Call for Papers for Hardwear.io USA 2022 is OPEN! January 14, 2022Posted by Andrea Simonca on Jan 14Hello, We are happy to announce that the CFP for Hardwear.io USA 2022 is OPEN! If you have a groundbreaking embedded research or an awesome open-source tool you’d like to showcase before the global hardware security community, this is your chance. Send in your ideas on various hardware subjects, […]
- APPLE-SA-2022-01-12-1 iOS 15.2.1 and iPadOS 15.2.1 January 12, 2022Posted by Apple Product Security via Fulldisclosure on Jan 12APPLE-SA-2022-01-12-1 iOS 15.2.1 and iPadOS 15.2.1 iOS 15.2.1 and iPadOS 15.2.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213043. HomeKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, […]
- Reprise License Manager 14.2 - Reflected Cross-Site Scripting January 12, 2022Posted by Gionathan Reale via Fulldisclosure on Jan 12# Product: RLM 14.2 # Vendor: Reprise Software # CVE ID: CVE-2021-45422 # Vulnerability Title: Reflected Cross-Site Scripting # Severity: Medium # Author(s): Giulia Melotti Garibaldi # Date: 2022-01-11 # ############################################################# Introduction: An issue was discovered in Reprise License Manager 14.2, Reprise License Manager 14.2 is affected […]
- [RT-SA-2021-009] Credential Disclosure in Web Interface of Crestron Device January 12, 2022Posted by RedTeam Pentesting GmbH on Jan 12Advisory: Credential Disclosure in Web Interface of Crestron Device When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface. Details ======= Product: Crestron HD-MD4X2-4K-E Affected Versions: 18.104.22.1689 Fixed Versions: - Vulnerability Type: […]
- Backdoor.Win32.Controlit.10 / Unauthenticated Remote Command Execution January 11, 2022Posted by malvuln on Jan 11Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/859aab793a42868343346163bd42f485.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Controlit.10 Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 3347. Third-party attackers who can reach an infected system can run any OS commands made available by the […]
Tempo di lettura: 5 minUtilizzo del Machine Learning per proteggere i dati Introdotto nel gennaio 2017, Acronis Act… https://t.co/mhqalBxm8D
Gli attacchi informatici sono numerosi e non fanno distinzione tra aziende e singoli individui quando prendono di m… https://t.co/uOucUWZf7W
Estimated reading time: 5 minutes SNYPR è uno strumento di analisi della sicurezza in grado di trasformare i Big… https://t.co/oies7e0nYY
Estimated reading time: 5 minutes Con l’avvento delle piattaforme di big data, le aziende che si occupano di sicu… https://t.co/MSvA0dPgiE