Basically, in SOC operation, Security Information & Event Management (SIEM) plays an important role. We can say it is main centralized Heart of SOC which collects, analyze the event as per configured rule and alert security analyst about the intrusive & other alerts to act and proceed with SOC process.
In my previous article, I have noted the basic Guideline to Develop and Maintain the Security Operation Center (SOC) which will definitely help you to understand it a better way. You may comment below in case any queries /questions.
Reference link: http://resources.infosecinstitute.com/guideline-to-develop-and-maintain-the-security-operation-center-soc/#gref
Moto behind writing the article is too aware the company who is seeking to buy Best SIEM product to build the SOC Operation. I have tried to collect all basic and main points which will be definitely helpful while doing POC of SIEM.
This article helps in sketching a basic roadmap to buy SIEM product to ensure that you get the SIEM technology that best fits organization’s security requirement.
The article is helpful for vendor companies who provide SIEM as a service (SaaS) to understand which are an effective way to impress the client and get the contract. Proper way explanation and division of tasks help to understand the vendor as well as to the client.
A few times I have observed that the customer and newly-established companies were not aware of all the things required while doing POC of SIEM & vendor who take advantage of it and charge a lot for providing the support and deployment.
Many of main parameters/points/functionality we have to keep in mind while doing POC of SIEM.
Study the own environment and find out the actual requirements of SIEM setup and compare it with available features in SIEM, these will perfectly help in understanding and deciding the final SIEM product.
This article will assist vendor/company (client)/analyst/SOC Manager to prepare before they start with SIEM POC.
As per my understanding & from the expert write-up, I have divided the article which will cover the aspects of architectural overview, Capability of SIEM, Cost involved review and miscellaneous.
Just go through step by step to understand it in a detailed way:
Before we start I clear the point as follow:
This article is for first level understanding, might be helpful to create the checklist.
Some of the points may or may not be applicable as SIEM functionality differ somehow.
Tried to cover all the points, reply in the comment box in case more info is required.
We can call it as SIEM POC checklist (4):
It is a diagram which describes the key elements in the system including a way of communication, the connection between internal-external systems, integration, and aesthetics.
In this section, you will get to know the high-level view of structural patterns like Hardware, Software & Database (Storage), event flow, extra application support and GUI related importance in POC.
- Need to understand the type of appliances in SIEM architecture and list them as per functionality like Correlation engine, ELM i.e. Log Collector, etc.
- Supportive documents require (yes/No) e.g.: log collector installers, console installer, etc.
- List out minimum application/software’s requirement for software solutions.
- Make a checklist as per yes/no to understand the requirement.
- Understand what type of Database/Storage support it has. Internal / external storage like Oracle/SQL/SAN/DAS/DWH etc. as well as partition type.
Types of Interfaces (GUI) overview:
Identify the console available. Three types of consoles are available.
- Web console.
- Management console.
- Troubleshooting console.
Inbuilt tools functionality overview:
- Make checklist whether for writing parsers/testing environment inbuilt or 3rd party tool is used. Helpful while comparing SIEM at functional and feature level.
Architectural Flow Diagram overview:
- Architectural Diagram for large Organization
- Identify Bandwidth Consumption: measure within appliances.
: In this section, we will compare deep but important aspects of features and functionalities of SIEM by following parameters.
This section helpful to find out various points which really important to compare with SIEM product to get best one.
Number of Default Parser:
- Get the document & count of default parser provided by SIEM vendor and compare.
- This is the best feature some of SIEM vendor offer. You may compare with this feature and Make a note whether SIEM support or not.
- Packet sizing is more than a normal raw log. If adopting packets then think about the storage and consult with Vendor Company.
Time to execute the reports:
- Get the exact review of time take to execute the daily, weekly and monthly reports.
Log compression ratio:
- Confirm whether it support for log compression and how much percentage.
- McAffee Intel Nitro support its best way and having good compression feature.
- Data retention policy for online and offline data (per day) also get to know how much time it takes to restore 1 week offline data & compare.
System performance during backup and restore:
- Calculate approx. How much % CPU and RAM utilization is up & down at the time of backup and restore with the exact time slot.
Role-based configuration and Access control:
- Identify MSSP is possible or not. To show certain data (only firewall) to particular team/customer.
- Identify network modeling is possible by importing Nessus report as well as some discovery tool or it has its own way of importing (CSV, xlsx, txt) format, etc.
- Identify Asset modeling is possible by importing Nessus report as well as some discovery tool or it has its way of importing (CSV, xlsx, txt) format, etc.
Severity of Alerts and Escalation of Alerts:
- Get to know more about the internal incident management system as well as how efficiently it supports integration with the external incident management system.
Log filtering at log collection level:
- Get to know how efficiently support to reduce noisy events. That means SIEM admin drop the noisy traffic at Receiver level and allow only meaningful events to get correlated.
- Confirm it supports static watch list or not.
- Get to know, how efficiently it support to dynamic watch list like update the entry through defined triggered events in the watch list.
- This is the best feature most of SIEM vendor implement to make it efficient for L1 Monitoring analyst to detect the intrusive as well as others events.
- SIEM admin defined the specific dashboard to rotate in defined time interval so the analyst can monitor it a better way.
- E.g.: top 10 attacker source IP, top 10 destination IP, top 5 failure username, Symantec Av events detected and much more.
Log exporting formats:
- Get to know the exporting format SIEM supports like CSV/ PDF/ txt/ HTML any other.
- Make a comparison by alerting mechanisms like through SIEM GUI/console, Email and SMS for specific events mainly.
- Latest SIEM offer “Alarm with beep” sound feature to get an immediate response on high priority or specific events/correlation rule to get a fast response.
Template customization (report/email):
- Is it inbuilt functionality in SIEM or not. How it support for template customization for Reporting and emails (reporting prioritized rules).
Portal for generated reports:
- Most of SIEM having its inbuilt functionality.
Reporting on raw logs:
- Verify whether SIEM has reporting of raw logs functionality on the basis of defined criteria.
Reporting of audit logs of SIEM appliance:
- Confirm whether SIEM have an efficient way of getting all SIEM audit logs to monitor the activities of SIEM admin.
- This will be useful while investigating the unknown activities which SIEM admin is not aware.
Ethical Hacking Training – Resources (InfoSec)
- Verify the reporting format and compare. (Excel/Html/csv/doc/pdf).
Reporting & Dashboards on SIEM health checks (should be automated):
- EPS, RAM-CPU utilization, Storage statistics & connectivity between appliances & many others reporting and dashboard features should be compared.
Default role-based reports:
- Role-based reporting like management, L1 and L2 Level kind of reports. E.g.: NOC team will get report of Firewall (policy changes, the command executed, admin level activities, etc.) logs as configured.
Reports on session-based events (p2p and VPN):
- Check whether it has functionality of Default session reports showing end to end visibility (User/VPN session etc.)
Central Policy Management:
- Check whether SIEM has the functionality of Pushing policy on all SIEM appliance from a single console.
Replication of configuration to failover appliance:
- Check whether SIEM has support for automation in configuration replication to failover appliances. It may save admin time and immediately work on failover of appliance.
Cost involved review:
In this section, we understand the basic things where COST of maintenance will get an increase. I tried to showcase the following points where cost is involved more.
- Validate which type of inbuilt storage support it has and up to what limit/size. Proprietary or external (Oracle, SQL, etc.).
- Compatibility with external storage also in case storage requirement is huge. Like DAS, NAS, Hadoop, etc.
- Licensing is the main parameter which decides/affect/impact the total cost of SIEM.
- Cost may depend on number of devices to be integrated or EPC count or number asset to be integrated or number of users or other criteria (if any)
It consist of following packages
- Compliance Package
- Parser Development
- SIEM Administration and Incident Handling training
- Resolution of High priority issue relates to SIEM appliance.
- Out of box device integration with SIEM.
- Any other
Consider following points
- Number & Types of appliances required
- Supportive software required
- Based on architecture calculate min system requirements for a software solution.
- Any other software required.
GTI Feeds support:
- Check whether GTI feeds are available with SIEM purchase or is needed to buy separately.
in this section, we understand the things which are least prioritized but important while comparing the SIEM functionality.
- It is a most important aspect to upgrade the SIEM appliances once stable patches getting published.
- Find out how frequently vendor publishes the patch, what are the content improvements in patches, whether they are stable or not etc. make very well comparison.
Compare what are the document vendor provide along with SIEM like:
- Installation & configuration
- User manual
- Best practices
- Backup and recovery
- Any other
List of Ports for appliance communication:
- List out port details require for internal communication between appliances
- Validate whether SIEM has templates to define the incident handling process.
Default / out of box content:
- If SIEM vendor claims for out of box support, then ask for supportive documents.
Ask vendor to provide following
- Types of supportive documents.
- Self-online support (forum/group)
Always perform Comparison between 2 best SIEM products and finalize Best on as per Industry standard which fits in company budget.
From the article, we learned how efficiently we could compare multiple SIEM products and adopt one which best fits as per infrastructure requirement.
Feel free share and comment if any further query.