Sunday, February 8, 2009

Security Information Event Management (SIEM)

If you are considering implementing Security Information Event Management (SIEM), SANS has produced a very good whitepaper on some design issues, with a sample case study.

The paper is about benchmarking the SIEM, however it does not cover all requirements for such project, such as integration with other systems, transport mechanisms, ports and protocols, change control, usability, storage type, integration with physical security,reporting capabilities, work-flow management, false positive rate....etc.

Here are some points to consider:
- Do we need all log data? How much data can the network and collection tools actually handle under load?
- What is the threshold before the network bottleneck and/or the SIEM is considered unusable?
- The true value of SIEM is MTTR (Mean Time To Remediate), that shows the ability of handling incident response.
- Calculating the EPS (Events per Second) in normal situation and in Peak load.
- Listing all devices, taking into consideration future changes.

The benchmarking process was done on a case with 750 users, 5 offices, 6 subnets, 5 Databases, central Data center, 4 Firewalls, 6 IPS, 6 switches, 6 routers.

- It is unlikely that all devices will send logs at max. at the same time
- Logs using TCP is much better that UDP, as UDP packets will be dropped at 3000 EPS, while TCP could maintain a 100,000 EPS.



Calculating the Storage is also important, considering a 20,000 EPS over 8 hours of ongoing incident will require 576 million record, using 300 byte avg. size, the storage needed is over 170 GB of data. The storage can differ from local DB to archiving DB, with encryption requirements.

http://www.sans.org/reading_room/analysts_program/eventMgt_Feb09.pdf

1 comment:

Anonymous said...

That is quiet funny. In SANS London 2008 Stephen Northcutt(SANS college) was in a complete denial of SIEM and its effectiveness. It seems he was drunk :)