Tag Archives: COLLECT

SIEM evaluation criteria: Choosing the right SIEM products

Security information and event management products and services collect, analyze and report on security log data from a large number of enterprise security controls, host operating systems, enterprise applications and other software used by an organization. Some SIEMs also attempt to stop attacks in progress that they detect, potentially preventing compromises or limiting the damage that successful compromises could cause.

There are many SIEM systems available today, including light SIEM products designed for organizations that cannot afford or do not feel they need a fully featured SIEM added to their current security operations.

Because light SIEM products offer few capabilities and are much easier to evaluate, they are out of the scope of this article. Instead, this feature points out the capabilities of regular SIEMs and can serve as a guide for creating SIEM evaluation criteria, which merit particularly close attention compared to other security technologies.

It can be quite a challenge to figure out which products to evaluate, let alone to choose the one that’s best for a particular organization or team. Part of the evaluation process involves creating a list of SIEM evaluation criteria potential buyers can use to highlight important capabilities.

1. How much native support does the SIEM provide for relevant log sources?

A SIEM’s value is diminished if it cannot receive and understand log data from all of the log-generating sources in the organization. Most obvious is the organization’s enterprise security controls, such as firewalls, virtual private networks, intrusion prevention systems, email and web security gateways, and antimalware products.

It is reasonable to expect a SIEM to natively understand log files created by any major product or cloud-based service in these categories. If the tool does not, it should have no role in your security operations.

There are many SIEM systems available today, including light SIEM products designed for organizations that cannot afford or do not feel they need a fully featured SIEM added to their current security operations.

In addition, a SIEM should provide native support for log files from the organization’s operating systems. An exception is mobile device operating systems, which often do not provide any security logging capabilities.

SIEMs should also natively support the organization’s major database platforms, as well as any enterprise applications that enable users to interact with sensitive data. Native SIEM support for other software is generally nice to have, but it is not mandatory.

If a SIEM does not natively support a log source, then the organization can either develop customized code to provide the necessary support or use the SIEM without the log source’s data.

2. Can the SIEM supplement existing logging capabilities?

An organization’s particular applications and software may lack robust logging capabilities. Some SIEM systems and services can supplement these by performing their own monitoring in addition to their regular job of log management.

In essence, this extends the SIEM from being strictly a centralized log collection, analysis and reporting tool to also generating raw log data on behalf of other hosts.

3. How effectively can the SIEM make use of threat intelligence?

Most SIEMs are capable of ingesting threat intelligence feeds. These feeds, which are often acquired from separate subscriptions, contain up-to-date information on threat activity observed all over the world, including which hosts are being used to stage or launch attacks and what the characteristics of these attacks are. The greatest value in using these feeds is enabling the SIEM to identify attacks more accurately and to make more informed decisions, often automatically, about which attacks need to be stopped and what the best method is to stop them.

Of course, the quality of threat intelligence varies between vendors. Factors to consider when evaluating threat intelligence should include how often the threat intelligence updates and how the threat intelligence vendor indicates its confidence in the malicious nature of each threat.

4. What forensic capabilities can SIEM products provide?

Forensics capabilities are an evolving SIEM evaluation criteria. Traditionally, SIEMs have only collected data provided by other log sources.

However, recently some SIEM systems have added various forensic capabilities that can collect their own data regarding suspicious activity. A common example is the ability to do full packet captures for a network connection associated with malicious activity. Assuming that these packets are unencrypted, a SIEM analyst can then review their contents more closely to better understand the nature of the packets.

Another aspect of forensics is host activity logging; the SIEM product can perform such logging at all times, or the logging could be triggered when the SIEM tool suspects suspicious activity involving a particular host.

5. What features do SIEM products provide to assist with performing data analysis?

SIEM products that are used for incident detection and handling should provide features that help users to review and analyze the log data for themselves, as well as the SIEM’s own alerts and other findings. One reason for this is that even a highly accurate SIEM will occasionally misinterpret events and generate false positives, so people need to have a way to validate the SIEM’s results.

Another reason for this is that the users involved in security analytics need helpful interfaces to facilitate their investigations. Examples of such interfaces include sophisticated search capabilities and data visualization capabilities.

6. How timely, secure and effective are the SIEM’s automated response capabilities?

Another SIEM evaluation criteria is the product’s automated response capabilities. This is often an organization-specific endeavor because it is highly dependent on the organization’s network architecture, network security controls and other aspects of security management.

For example, a particular SIEM product may not have the ability to direct an organization’s firewall or other network security controls to terminate a malicious connection.

Besides ensuring the SIEM product can communicate its needs to the organization’s other major security controls, it is also important to consider the following characteristics:

  • How long does it take the SIEM to detect an attack and direct the appropriate security controls to stop it?
  • How are the communications between the SIEM and the other security controls protected so as to prevent eavesdropping and alteration?
  • How effective is the SIEM product at stopping attacks before damage occurs?

7. Which security compliance initiatives does the SIEM support with built-in reporting?

Most SIEMs offer highly customizable reporting capabilities. Many of these products also offer built-in support to generate reports that meet the requirements of various security compliance initiatives. Each organization should identify which initiatives are applicable and then ensure that the SIEM product supports as many of these initiatives as possible.

For any initiatives that the SIEM does not support, make sure that the SIEM product supports the proper customizable reporting options to meet your requirements.

Do your homework and evaluate

SIEMs are complex technologies that require extensive integration with enterprise security controls and numerous hosts throughout an organization. To evaluate which tool is best for your organization, it may be helpful to define basic SIEM evaluation criteria. There is not a single SIEM product that is the best system for all organizations; every environment has its own combination of IT characteristics and security needs.

Even the main reason for having a SIEM, such as meeting compliance reporting requirements or aiding in incident detection and handling, may vary widely between organizations. Therefore, each organization should do its own evaluation before acquiring a SIEM product or service. Examine the offerings from several SIEM vendors before even considering deployment.

This article presents several SIEM evaluation criteria that organizations should consider, but other criteria may also be necessary. Think of these as a starting point for the organization to customize and build upon to develop its own list of SIEM evaluation criteria. This will help ensure the organization chooses the best possible SIEM product.

SIEM benefits include efficient incident response, compliance

Security information and event management systems collect security log events from numerous hosts within an enterprise and store their relevant data centrally. By bringing this log data together, these SIEM products enable centralized analysis and reporting on an organization’s security events.

SIEM benefits include detecting attacks that other systems missed. Some SIEM tools also attempt to stop attacks — assuming the attacks are still in progress.

SIEM products have been available for many years, but initial security information and event management (SIEM) tools were targeted at large organizations with sophisticated security capabilities and ample security analyst staffing. It is only relatively recently that SIEM systems have emerged that are well-suited to meet the needs of small and medium-sized organizations.

SIEM architectures available today include SIEM software installed on a local server, a local hardware or virtual appliance dedicated to SIEM, and a public cloud-based SIEM service.

Different organizations use SIEM systems for different purposes, so SIEM benefits vary across organizations. This article looks at the three top SIEM benefits, which are:

  • streamlining compliance reporting;
  • detecting incidents that would otherwise not be detected; and
  • improving the efficiency of incident handling

1. Streamline compliance reporting

Many organizations deploy the tools for these SIEM benefits alone, including streamlining enterprise compliance reporting efforts through a centralized logging solution. Each host that needs to have its logged security events included in reporting regularly transfers its log data to a SIEM server. A single SIEM server receives log data from many hosts and can generate one report that addresses all of the relevant logged security events among these hosts.

An organization without a SIEM system is unlikely to have robust centralized logging capabilities that can create rich customized reports, such as those necessary for most compliance reporting efforts. In such an environment, it may be necessary to generate individual reports for each host or to manually retrieve data from each host periodically and reassemble it at a centralized point to generate a single report.

Many organizations deploy the tools for these SIEM benefits alone, including streamlining enterprise compliance reporting efforts through a centralized logging solution.

The latter can be incredibly difficult, in no small part because different operating systems, applications and other pieces of software are likely to log their security events in various proprietary ways, making correlation a challenge. Converting all of this information into a single format may require extensive code development and customization.

Another reason why SIEM tools are so useful is that they often have built-in support for most common compliance efforts. Their reporting capabilities are compliant with the requirements mandated by standards such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act.

By using SIEM logs, an organization can save considerable time and resources when meeting its security compliance reporting requirements, especially if it is subject to more than one such compliance initiative.

2. Detect the undetected

SIEM systems are able to detect otherwise undetected incidents.

Many hosts that log security breaches do not have built-in incident detection capabilities. Although these hosts can observe events and generate audit log entries for them, they lack the ability to analyze the log entries to identify signs of malicious activity. At best, these hosts, such as end-user laptops and desktops, might be able to alert someone when a particular type of event occurs.

SIEM tools offer increased detection capabilities by correlating events across hosts. By gathering events from hosts across the enterprise, a SIEM system can see attacks that have different parts on different hosts and then reconstruct the series of events to determine what the nature of the attack was and whether or not it succeeded.

In other words, while a network intrusion prevention system might see part of an attack and a laptop’s operating system might see another part of the attack, a SIEM system can correlate the log data for all of these events. A SIEM tool can determine if, for example, a laptop was infected with malware which then caused it to join a botnet and start attacking other hosts.

It is important to understand that while SIEM tools have many benefits, they should not replace enterprise security controls for attack detection, such as intrusion prevention systems, firewalls and antivirus technologies. A SIEM tool on its own is useless because it has no ability to monitor raw security events as they happen throughout the enterprise in real time. SIEM systems use log data as recorded by other software.

Many SIEM products also have the ability to stop attacks while they are still in progress. The SIEM tool itself doesn’t directly stop an attack; rather, it communicates with other enterprise security controls, such as firewalls, and directs them to block the malicious activity. This incident response capability enables the SIEM system to prevent security breaches that other systems might not have noticed elsewhere in the enterprise.

To take this a step further, an organization can choose to have its SIEM tool ingest threat intelligence data from trusted external sources. If the SIEM tool detects any activity involving known malicious hosts, it can then terminate those connections or otherwise disrupt the malicious hosts’ interactions with the organization’s hosts. This surpasses detection and enters the realm of prevention.

3. Improve the efficiency of incident handling activities

Another of the many SIEM benefits is that SIEM tools significantly increase the efficiency of incident handling, which in turn saves time and resources for incident handlers. More efficient incident handling ultimately speeds incident containment, thus reducing the amount of damage that many security breaches and incidents cause.

A SIEM tool can improve efficiency primarily by providing a single interface to view all the security log data from many hosts. Examples of how this can expedite incident handling include:

  • it enables an incident handler to quickly identify an attack’s route through the enterprise;
  • it enables rapid identification of all the hosts that were affected by a particular attack; and
  • it provides automated mechanisms to stop attacks that are still in progress and to contain compromised hosts.

The benefits of SIEM products make them a necessity

The benefits of SIEM tools enable an organization to get a big-picture view of its security events throughout the enterprise. By bringing together security log data from enterprise security controls, host operating systems, applications and other software components, a SIEM tool can analyze large volumes of security log data to identify attacks, security threats and compromises. This correlation enables the SIEM tool to identify malicious activity that no other single host could because the SIEM tool is the only security control with true enterprise-wide visibility.      

Businesses turn to SIEM tools, meanwhile, for a few different purposes. One of the most common SIEM benefits is streamlined reporting for security compliance initiatives — such as HIPAA, PCI DSS and Sarbanes-Oxley — by centralizing the log data and providing built-in support to meet the reporting requirements of each initiative.

Another common use for SIEM tools is detecting incidents that would otherwise be missed and, when possible, automatically stopping attacks that are in progress to limit the damage.

Finally, SIEM products can also be invaluable to improve the efficiency of incident handling activities, both by reducing resource utilization and allowing real-time incident response, which also helps to limit the damage.

Today’s SIEM tools are available for a variety of architectures, including public cloud-based services, which makes them suitable for use in organizations of all sizes. Considering their support for automating compliance reporting, incident detection and incident handling activities, SIEM tools have become a necessity for virtually every organization.

For Sale – Thermaltake CORE X31 Case – Brand New Posted + Bits

Razer Nostromo – Opened Worn Box – Unused – £20 Delivered (Collect £15) SOLD

Thermaltake Core X31 w/ 2 Case Fans – Box Open Brand New Unused – £70 Delivered

Coolermaster Storm Stryker White USB3.0 with LED in Good Condition – £45 Collected

If someone’s interested to collect the following working bits @ £10 Each: or can post with additional postage.

Q6600 + Asus P5B
8GB DDR2
Corsair 400W PSU
2 x CoolerMaster Case Fans Black
Asus Xonar DG Soundcard
Logitech G510 Keyboard (Heavily Used) + Microsoft Mouse with DPI
Antec P182 Case
AOC Monitor
2 x Keyboards

If someone’s interested to collect the following untested bits @ £15
Some Motherboards
Some Tritton AX Pro 5.1 Headphones
Some random stuff

Thanks!

Price and currency: Included
Delivery: Delivery cost is included within my country
Payment method: BT / PPG
Location: West Yorkshire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Thermaltake CORE X31 Case – Brand New Posted + Bits

Razer Nostromo – Opened Worn Box – Unused – £20 Delivered (Collect £15) SOLD

Thermaltake Core X31 w/ 2 Case Fans – Box Open Brand New Unused – £70 Delivered

Coolermaster Storm Stryker White USB3.0 with LED in Good Condition – £45 Collected

If someone’s interested to collect the following working bits @ £10 Each: or can post with additional postage.

Q6600 + Asus P5B
8GB DDR2
Corsair 400W PSU
2 x CoolerMaster Case Fans Black
Asus Xonar DG Soundcard
Logitech G510 Keyboard (Heavily Used) + Microsoft Mouse with DPI
Antec P182 Case
AOC Monitor
2 x Keyboards

If someone’s interested to collect the following untested bits @ £15
Some Motherboards
Some Tritton AX Pro 5.1 Headphones
Some random stuff

Thanks!

Price and currency: Included
Delivery: Delivery cost is included within my country
Payment method: BT / PPG
Location: West Yorkshire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Razer Nostromo – Bitfenix White Fan Controller + More

Razer Nostromo – Opened Worn Box – Unused – £20 Delivered (Collect £15)
Bitfenix White Edition Fan Controller – Open Worn Box – Unused – £20 Delivered (Collect £15)
Thermaltake Core X31 w/ 2 Case Fans – Box Open Brand New Unused – £78 Delivered (Collect £70)

Coolermaster Storm Stryker White USB3.0 with LED in Good Condition – £45 Collected

If someone’s interested to collect the following working bits @ £10 Each:

Q6600 + Asus P5B
8GB DDR2
Corsair 400W PSU
2 x CoolerMaster Case Fans Black
Asus Xonar DG Soundcard
Logitech G510 Keyboard (Heavily Used) + Microsoft Mouse with DPI
Antec P182 Case
AOC Monitor
2 x Keyboards

If someone’s interested to collect the following untested bits @ £15
Some Motherboards
Some Tritton AX Pro 5.1 Headphones
Some random stuff

Thanks!

Price and currency: Included
Delivery: Delivery cost is included within my country
Payment method: BT / PPG
Location: West Yorkshire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Razer Nostromo – Bitfenix White Fan Controller + More

Razer Nostromo – Opened Worn Box – Unused – £20 Delivered (Collect £15)
Bitfenix White Edition Fan Controller – Open Worn Box – Unused – £20 Delivered (Collect £15)
Thermaltake Core X31 w/ 2 Case Fans – Box Open Brand New Unused – £78 Delivered (Collect £70)

Coolermaster Storm Stryker White USB3.0 with LED in Good Condition – £45 Collected

If someone’s interested to collect the following working bits @ £10 Each:

Q6600 + Asus P5B
8GB DDR2
Corsair 400W PSU
2 x CoolerMaster Case Fans Black
Asus Xonar DG Soundcard
Logitech G510 Keyboard (Heavily Used) + Microsoft Mouse with DPI
Antec P182 Case
AOC Monitor
2 x Keyboards

If someone’s interested to collect the following untested bits @ £15
Some Motherboards
Some Tritton AX Pro 5.1 Headphones
Some random stuff

Thanks!

Price and currency: Included
Delivery: Delivery cost is included within my country
Payment method: BT / PPG
Location: West Yorkshire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Razer Nostromo – Bitfenix White Fan Controller + More

Razer Nostromo – Opened Worn Box – Unused – £20 Delivered (Collect £15)
Bitfenix White Edition Fan Controller – Open Worn Box – Unused – £20 Delivered (Collect £15)
Thermaltake Core X31 w/ 2 Case Fans – Box Open Brand New Unused – £78 Delivered (Collect £70)

Coolermaster Storm Stryker White USB3.0 with LED in Good Condition – £45 Collected

If someone’s interested to collect the following working bits @ £10 Each:

Q6600 + Asus P5B
8GB DDR2
Corsair 400W PSU
2 x CoolerMaster Case Fans Black
Asus Xonar DG Soundcard
Logitech G510 Keyboard (Heavily Used) + Microsoft Mouse with DPI
Antec P182 Case
AOC Monitor
2 x Keyboards

If someone’s interested to collect the following untested bits @ £15
Some Motherboards
Some Tritton AX Pro 5.1 Headphones
Some random stuff

Thanks!

Price and currency: Included
Delivery: Delivery cost is included within my country
Payment method: BT / PPG
Location: West Yorkshire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Razer Nostromo – Bitfenix White Fan Controller + More

Razer Nostromo – Opened Worn Box – Unused – £20 Delivered (Collect £15)
Bitfenix White Edition Fan Controller – Open Worn Box – Unused – £20 Delivered (Collect £15)
Thermaltake Core X31 w/ 2 Case Fans – Box Open Brand New Unused – £78 Delivered (Collect £70)

Coolermaster Storm Stryker White USB3.0 with LED in Good Condition – £45 Collected

If someone’s interested to collect the following working bits @ £10 Each:

Q6600 + Asus P5B
8GB DDR2
Corsair 400W PSU
2 x CoolerMaster Case Fans Black
Asus Xonar DG Soundcard
Logitech G510 Keyboard (Heavily Used) + Microsoft Mouse with DPI
Antec P182 Case
AOC Monitor
2 x Keyboards

If someone’s interested to collect the following untested bits @ £15
Some Motherboards
Some Tritton AX Pro 5.1 Headphones
Some random stuff

Thanks!

Price and currency: Included
Delivery: Delivery cost is included within my country
Payment method: BT / PPG
Location: West Yorkshire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Razer Nostromo – Bitfenix White Fan Controller + More

Razer Nostromo – Opened Worn Box – Unused – £20 Delivered (Collect £15)
Bitfenix White Edition Fan Controller – Open Worn Box – Unused – £20 Delivered (Collect £15)
Thermaltake Core X31 w/ 2 Case Fans – Box Open Brand New Unused – £78 Delivered (Collect £70)

Coolermaster Storm Stryker White USB3.0 with LED in Good Condition – £45 Collected

If someone’s interested to collect the following working bits @ £10 Each:

Q6600 + Asus P5B
8GB DDR2
Corsair 400W PSU
2 x CoolerMaster Case Fans Black
Asus Xonar DG Soundcard
Logitech G510 Keyboard (Heavily Used) + Microsoft Mouse with DPI
Antec P182 Case
AOC Monitor
2 x Keyboards

If someone’s interested to collect the following untested bits @ £15
Some Motherboards
Some Tritton AX Pro 5.1 Headphones

Thanks!

Price and currency: Included
Delivery: Delivery cost is included within my country
Payment method: BT / PPG
Location: West Yorkshire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.