SIEM Implementation Tips

Tip #1 – Ask your potential vendor if they are a SIM, SEM or SIEM solution, you most likely want a full SIEM solution even if you end up using one part more than the other.

Tip #2 – Ask your potential vendor if it is easy and intuitive for your personnel to create new behaviour rules, often referred to as Correlation rules

Security Information Management Tips

Tip #1 – Ask your potential vendor if the Log Management Layer stores logs in an ASCii flat file structure for scalable storage. If they don’t, run for the hills.

Tip #2 – Ask your potential vendor how many characters their indexing engine indexes down to, for example if the engine only indexes down to 3 characters you would NOT be able to find commands such as “SU root”, as the SU portion of the command would not be indexed.

Tip #3 – Ask your potential vendor how much disk space their index will consume, typically you will be looking for a 5-1 ratio, that is to say, for every 1gb of compressed stored log data, the index should take up to a maximum of 5gb of disk space.

Tip #4 – Ask you potential vendor if you can store the log data on a SAN or fiber connected disk storage.

Tip #5 – Ask your potential vendor if the log is still collected and indexed for reporting purposes even if they do not have a Regular-Expression processing rule for the log.

Tip #6 – Ask your potential vendor if the solution digitally signs collected logs at a minimum of 256bit SHA and optionally could encrypt the logs at rest.

Leave a comment

Your email address will not be published. Required fields are marked *