An interesting and helpful perspective about the value of normalized data in SIM. From the Resource: “When collecting data from hundreds or thousands of disparate devices and systems, normalization helps to provide a unified view of the events. Normalization for SIM means automatically pulling common data items from each event (like who, what, when and where) and storing this subset into a common format. In essence, SIM normalization is making dissimilar data all look the same. This process makes cross-system analytics feasible. And since all events share a common format, reporting and analysis is far easier as well.”

Link to Resource: Mining Enterprise SIM Logs for Relevant Security Event Data

Source: Adrian Lane, SearchSecurity

SIM Resource Guide Section: Security Information Management Best Practices

Posted: October 19th, 2009

An intriguing presentation on what the future holds in the realm of security architecture. Touches on SIEM’s role and many SIEM-related issues. Highly recommended.

Resource: Security Architecture for the Future

Source: Dan Blum, Burton Group

SIM Resource Guide Section: Security Information Management Explored

Posted: October 16th, 2009

An exceptional look into the security objectives, principles and implementation model for this government agency, including information on where and how Security Information Management fits. Highly recommended.

Link to Resource: Managing IM/IT Security Risks

Source: Mark Scherling, Office of the Chief Information Officer Ministry of Management Services, Government of British Columbia

SIM Resource Guide Section: Security Information Management Best Practices

Posted: October 15th, 2009

“It is impossible to predict all threats, meaning that threat management has a large detection and response component.”

Link to Resource: Security Architecture Blueprint

Source: Gunnar Peterson, Arctec Group

SIM Resource Guide Section: Security Information Management Quotes by Analysts

Posted: October 14th, 2009

This Resource provides valuable context for the importance and value of SIEM. From the Resource: “To avoid being caught reacting once a breach happens, companies need to get aggressive about gaining control over user access, and take the offensive when addressing the Threat of the Insider. Addressing security vulnerabilities associated with processes such as new employee onboarding and effectively managing changes to access rights based on new job responsibilities or departures from the organization, will require companies to implement a comprehensive risk management strategy that incorporates the following: … Data Loss Protection (DLP) and Security Incident and Event Management (SIEM): Deliver warnings to IT administrators and business managers of sensitive data leakage or inappropriate event activity that can be correlated with user identities and roles to determine if there is an issue, so that corrective actions can automatically be taken.”

Link to Resource: Tough Times Demand Strong Governance, Risk and Compliance Programs

Source: Chris Sullivan, The IT-Finance Connection

SIM Resource Guide Section: Security Information Management Benefits

Posted: October 14th, 2009

An 8-page, highly-detailed guide on how to specify, evaluate and choose an SIEM solution. While slightly dated, this Resource provides an excellent foundation upon which to learn more about SIEM and frame possible approaches to addressing SIEM. From the Resource: “It is hoped that some of our “lessons learned” contained herein will help you avoid some of the pitfalls in your own SIEM endeavors.”

Link to Resource: Security Information Event Management Security Development Life Cycle

Source: Dean Farrington, SANS Institute

SIM Resource Guide Section: Security Information Management Purchasing Best Practices

Posted: October 14th, 2009