7 Replies Latest reply on Feb 18, 2014 5:10 PM by nicole pauls

    !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew THAT when I Started?"

    nicole pauls

      If you missed last week's discussion on the fun mishaps of the Target breach, it's here: Re: !LEM Thoughts of the Week: Detecting the Target Breach?

       

      This week, thought I'd go a different direction. Since we're all (theoretically) LEM users (or even if we're not we're probably doing some log monitoring or SIEM using another tool), what are the things you wish you knew or did before you got started, or as you worked through your implementation, or for the vets now that you've been using it for a while?

       

      From my end: At a low level, the biggest pet peeve customers have is how to get emails out of LEM - which is generally a problem of understanding how the pieces all fit together.

       

      At a high level, I think maybe prioritization and thinking about how you integrate LEM/SIEM as a part of your IT/security operations before you get started so you even know what problem or problems you're going to start with or try to solve. We have a lot of recurring customers that say "I really am not using LEM to its full potential" or "I know I could be doing more" mixed in with new customers that say "I wish it was magic to set up my irritating use cases (like compliance) faster." We can do some stuff in the product to help get set up faster or help expose more content, but it's critical that you know what you are trying to accomplish, too.

       

      What do you think?

        • Re: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew THAT when I Started?"
          evanr

          As far as low end thoughts.  I was in that boat of annoyed customers for a bit.  Once I had my email template set up, variables defined, body of my email constructed..etc.  It took me a good week to figure out how to then get the rule set up and email data sent correctly.  Only until I realized that if I had say a SQL injection rule that was looking specifically for WebTrafficAudit.* in its actions.  That I also had to drill down in the Events column to WebTrafficAudit and drag and drop the data I wanted like WebTrafficAudit.EventInfo, WebTrafficAudit.InsertionIP..etc into the Send Email Message variables.  There is definitely a bit of a learning curve with LEM. 

           

          As far as high level thoughts go.  I would definitely recommend getting a baseline.  There is a ton of background noise generated that has to be sifted through.  Having that data will make it easier to detect the anomalous events that do occur.  Secondly focus more time and energy on the data output.  When I first started with LEM/SEIM I was more worried about getting our devices, connectors set up.  Ok we are getting good data now what?  How do I then go back a week and see if our FTP site is still being hammered by the same IP address?  Enter nDepth.  Now I spend most of my time creating/running queries.  LEM makes it incredibly easy to write up a quick query and be able to view the patterns in the data.  Now that I know its not some random event I can take action and block it on our firewall..etc.  The reports complement nDepth very well and they have more than satisfied our compliance requirements. 

            • Re: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew THAT when I Started?"
              byrona

              evanr what compliance requirements do you work with?

               

              I ask because we are working with different compliance requirements more and more and in doing so our company always seems to find our tools and processes are not enough.  While I understand you want to do things correctly I often fear we are taking a too aggressive interpretation of the compliance requirements.  I have certainly ran across customers that take a too aggressive interpretation of these as well.

                • Re: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew THAT when I Started?"
                  evanr

                  PCI.  And according to our auditor 3.0 is going to be even stricter.  We aren't the only business unit in the company that has a ROC so luckily we were given a blueprint.  From there we could pick and choose what we needed to fit our environment regarding the requirements like FIM, IDS/IPS, SEIM...etc.  I agree it would be easy to get carried away with whats needed to be compliant resulting in overkill.  A great deal of research goes into trying to find the right solution that will be best tailored to our environment.  Luckily though we haven't had to re-invent the wheel.

              • Re: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew THAT when I Started?"
                byrona

                One of the "ah-ha" moments with LEM for me was when one of the support techs explained how LEM uses an event taxonomy (the policy).  Understanding that is key to writing filters and correlations; before that I was really struggling.  I still struggle with it at times but understanding that has made a huge difference.

                  • Re: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew THAT when I Started?"
                    nicole pauls

                    This (event taxonomy) is an interesting conundrum. I brought it up in the Thwack Camp presentation because I think it's a common stumbling block, too. In the end, I'm just not sure how/when to introduce the concept. If we put too much conceptual stuff up front it makes the product seem very intimidating and ain't nobody got time for that! But it is really how the "nerve center" of LEM works when it comes to normalized data. I have heard the argument that customers of LEM shouldn't have to care about that stuff, but I don't foundationally know if that's truly possible or even a good idea.

                     

                    Maybe a blog post on this topic would be helpful, but it still sounds pretty boring when I think about it.