Lets face it, deploy a SIEM solution which give you value is difficult. It's not enough with install the solution and configure the different log sources to send the events.
You need to customize the predefine content to your needs or create new from scratch. And that takes time, not only from the consultant who deploy the solution, but from all the different stakeholders who want to get something from the shiny new SIEM tool installed. Otherwise you can end up having a tool who nobody uses proactive, just a place to store logs, nothing else.
It's sad but it can happens, you need to start building up your system from the floor to the roof, not the other direction. Sounds obvious, but sometimes is not.
And same as the SIEM solutions started just in the perimeter security to "evolutionate" to higher levels as applications or business process, an organization who starts a SIEM project needs to begin in the basics and grow up accordingly.
First find a subset of devices to integrate, try to put 1 of each type. And start to retrieve the logs. Study those logs first, understand what kind of logs you have (or can you tell me that you already have a control over the kind of event going on in your systems?). And when you achieve that knowledge, it's when you can start to build up alerts and real-time monitoring properly. This is building from the floor.
In the other hand; if you start enabling rules, the amount of , let's called it, "false-positives" will be so huge that the solution becomes unusable, and the only thing that gives you is frustration.
And are you going to use a solution which frustrate you? I don't think so.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment