A lot of people talk about “SIEM use cases” (example), but few describe them in depth, complete with instructions on how to actually solve the problems and actually do each use case, using a particular SIEM tool. Here at Security Warrior Consulting, we are all about DOING, not just TALKING..
With this introduction, I am presenting a new detailed SIEM whitepaper that I wrote for the RSA enVision team.
“This paper will help jumpstart SIEM use process and highlight common SIEM usage scenarios for organizations of all sizes. It will also explain how to operationalize the SIEM tool and utilize it for many security use cases and scenarios, from Web site threats to security incident response. Specific examples from RSA’s enVision platform are used to illustrate the concepts in the paper.”
Here is an excerpt from one use case from the paper:
Comprehensive firewall monitoring
(security + network)
Since the early days of SIEM technology, firewall log data has been considered as one of the most useful and commonly collected information sources. Apart from allowing and denying connections to and from the network, firewalls allow recording or logging of every single connection denied or allowed by the firewall. An example would be connections from the outside world to the DMZ Web server, or connections by users inside the company to their favorite social media Web site. Analysis of such logs is extremely useful for security, compliance and even operational purposes such as network management, bandwidth management, etc. For example, on the compliance side, PCI DSS, HIPAA, NERC/FERC all have firewall logging implications. Firewall logs are also extremely useful for incident response and forensics since they can help identify the connectivity pattern and serve as “poor man netflow.” On top of this, firewall logs can be used to assess the health of the firewall itself and to optimize the rule set performance.
Collection: comprehensive firewall log collection is mandatory for this use case, and it is important to remember that firewalls can record both failed and successful connections through the firewall – both types are essential for SIEM.
Grab the paper here [PDF]!
Another fun long whitepaper is coming soon … and it will be just as fun.
Cross-posted from Security-Warrior