The first step in SIEM is collecting log data. Log data, as we saw in part 1, is what drives any SIEM solution. A SIEM solution should be able to process, in real time, large amounts of incoming log data from servers, security solutions, and applications in your network.
But you have different systems and environments, and analyzing logs can get tricky when you have different formats and logging standards, such as event log, syslogs, and other application logs. For example, the information gained from a firewall log will be different from the information gained from a router log. Yet both types of logs are important to network security, especially when brought together in a SIEM solution that gives them more context.
You want your SIEM solution to act as a master solution that controls all of the security aspects of your network. Having this special master solution, in addition to various other preventive security solutions, is crucial in any security operations center.
Comprehensive log collection
One of the most important things to do before deploying a SIEM solution is to get a clear understanding of your requirements and budget. Depending on the pricing and licensing structure, you could be charged for the volume of log data processed, or based on the number of log sources (as we do in Log360).
To put it very simply, you need logs from any source that concerns you. This could include:
- Workstations.
- Servers.
- Domain controllers.
- Network devices, such as routers and firewalls.
- IDS/IPS
- Security solutions, such as endpoint security.
- Business-critical applications, such as databases and web servers.
- Your public cloud.
But remember, as we discussed in part 1, the log sources must first be configured to generate log entries for the events you want to track.
While evaluating a SIEM solution, look for one that supports a broad variety of log sources out of the box. Also look for one that has a custom log parser, as this will give you the flexibility to manage any log source in your network to achieve truly comprehensive log collection. In some situations, such as in DMZs, it might not be possible to collect logs directly. So, it‘s critical that your SIEM solution supports both agent-based and agentless log collection.
Auditing made easy with SIEM
Administrators need to track security events of interest occurring in their network. This auditing can go a long way in securing your enterprise. Your SIEM solution should parse log messages, pick out data from the log fields, and neatly put it down into reports so you have all the information you need at your fingertips. If you‘re concerned about how many login failures are occurring in your network, which critical files and folders were modified, or which Active Directory accounts have been deleted, you can easily find out by running reports for all these questions and many more with a SIEM solution.
Take, for example, your web server. The screenshot below shows a report for the top status codes being thrown up on the web server. By looking at this, you can get a clear idea of the activity happening in your web server. In this case, you’ll be able to see the errors occurring on it.
Reports are also invaluable for IT teams that need help meeting compliance mandates. A SIEM solution helps you furnish in-depth audit reports that ensure you stay compliant with regulations such as PCI DSS, FISMA, SOX, and more. And with GDPR coming into effect next May, auditing and SIEM solutions are going to become all the more important for administrators.
Stay tuned for part 3 of this blog series, where we’ll be looking at SIEM for threat mitigation.