An end-user Information Technology Bulletin from the state of Pennsylvania that presents basic SIEM architectures. Includes basic deployment diagrams for use in the state’s IT organization.

Link to Resource: SIEM Architecture Guidelines

Source: State of Pennsylvania

SIM Resource Guide Section: Security Information Management Best Practices

Posted: November 10th, 2009

“I can prove to auditors that [the SIM appliance is monitoring] just about anything with an IP address.”

Link to Resource: SIEM: Finding the Proverbial Needle

Source: Matt Roedell, TruMark Financial Credit Union

SIM Resource Guide Section: Security Information Management Quotes by Users

Posted: November 2nd, 2009

20 E-commerce Security Best Practices including: “14 – Have emphasis on detective controls. A layered monitoring program is necessary to detect attacks and provide forensic information for incident response. If an incident occurs, the goal should be to detect it early on and limit further data compromise. Imagine the damage if an incident goes undetected for months or a year. Detective controls include centralized audit logs, log monitoring, file integrity monitoring and intrusion detection software.”

Link to Resource: E-Commerce Payment Card Security [PDF]

Source: Gideon T. Rasmussen, Bank of America

SIM Resource Guide Section: Security Information Management Best Practices

Posted: October 29th, 2009

As part of a presentation on aligning IT security initiatives with business priorities, SIEM is explored as a key IT security component. An item of particular interest is the chart on slide 20 which describes security information value in a useful chart with the following axes: Security Information Value and Correlation Value.

Link to Resource: Security Analysis in Action | PowerPoint [9.4MB]

Source: Christian Mathijs, Belgacom

SIM Resource Guide Section: Security Information Management Explored

Posted: October 28th, 2009

SIEM benefits from an advanced implementation in the energy sector:
1) Unique integration of novel defenses with existing best practices.
2) Breakthrough global situational awareness while preserving confidentiality of individual defensive postures.
3) Extensible, expandable, and flexible to protect current and future control systems.

Resource: Roadmap to Secure Control Systems in the Energy Sector

Source: Alfonso Valdes, Senior Computer Scientist, SRI International

SIM Resource Guide Section: Security Information Management Benefits

Posted: October 27th, 2009

A series of patterns that are intended as a foundation for formal design patterns for the deployment of honeynets or honeypots. Shows how honeypots are designed to work in tandem with SIM systems.

Link to Resource: Honey Patterns

Source: Jeffrey Boltz

SIM Resource Guide Section: Security Information Management Explored

Posted: October 26th, 2009

A look into a security consultant’s project to design, build and deploy a SOC infrastructure for a telecom provider in South America. From the Resource: “The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.” and “This task took several months but in the end the Audit team obtained a powerful [SIEM] tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.”

Link to Resource: Using SIEM tools for Fraud Detection

Source: Alexandre Cezar, ISC2

SIM Resource Guide Section: Security Information Management User Implementations and Success Stories

Posted: October 23rd, 2009

“Our goal was to get people to the point where they’re not mechanics trying to keep the thing running but move them to where they’re focusing on dealing with the security issues that are actually coming up,”

Resource: A New Awareness for SIMs

Source: Glenn Haar, IT Resource Manager, Idaho State Tax Commission

SIM Resource Guide Section: Security Information Management Quotes by Users

Posted: October 22nd, 2009

As part of an extensive look at intrusion detection and prevention this Resource provides considerable guidance on the importance and role of SIEM. From the Resource: “A SIEM is responsible for the overall examination of information and activity on a network, to spot anomalies and larger threat patterns, or ‘incidents.’ Incidents may be thought of as ‘meta-events’ – events that are built out of multiple smaller events, flows, and logs. A SIEM is only as valuable as the data that it manages, however. For this reason, IPS policies should establish robust notification when communicating with a SIEM. i.e., while you may not want to be personally notified of every event that occurs, it is important that as much data as possible be sent to the SIEM. The SIEM becomes responsible for filtering false positives, while retaining a rich knowledge-base from which to observe larger incidents.”

Link to Resource: Sound Practice in Intrusion Detection & Prevention

Source: Michael Leland and Eric Knapp, SANS Institute

SIM Resource Guide Section: Security Information Management Best Practices

Posted: October 21st, 2009

A colorful, interesting and helpful analogy to simplify and explain the basics of SIM/log management. From the Resource: “The analogy. Imagine a house… actually, imagine your house. Let’s say that your house is like a network. The house and all the major appliance and structures of the house are like infrastructure devices- switches and servers, for example. Of course, the people living in your house are users. In addition you have ‘gateways’ from your house to the outside world, in the form of doors, windows, vents, etc. These house gateways are like our WAN devices- firewalls, IDS/IPS and other gateway appliances. Let’s say you live in the house with your spouse and family. You’re going to be the wife for now, so imagine you, your husband, three kids and a dog (only because that amuses me). Each of your house users have a key to get in. Your major appliances- the TVs, refrigerator, oven, the family computers and alarm system are all creating logs when anything happens and they’re all giving their logs to the toaster. (The toaster is greatly under appreciated so I’m giving him a big role here- yes- your toaster is the Syslog server). The doors, windows and other ‘portals’ to the outside are also creating events and logging each time they’re opened, closed, locked or broken and, they too, are sending their info to the toaster.” See the Resource for the rest of this intriguing analogy.

Resource: Logging, Correlation and IT Search: An Analogy

Source: Jennifer Jabbusch, Security Uncorked

SIM Resource Guide Section: Security Information Management – What is it?

Posted: October 20th, 2009