Page 10 - Cyber Warnings
P. 10
network hierarchy and forming log source groups, the SIEM team fine-tuned the out-of-the box
correlation rules, as well as developed custom rules aligned with the company’s infrastructure.
This allowed to cut down the number of false-positives along with reducing the number of daily
generated offenses to only 150.
Mistake 3: Overloading a SIEM solution
The estimated system load (the number of events per second (EPS) and flows per interval
(FPI)) is one of the most important factors to consider while designing a SIEM solution
architecture. If the solution’s actual load mismatches the real number of security events, a huge
amount of data will just pass by without being sieved through a SIEM system, putting the
organization’s security at stake.
Case 1: An oil company deployed a SIEM solution with the total load of 4,000 EPS. However,
once SIEM consultants came on-site to fine-tune the system, it turned out that the real number
of log sources exceeded the default license, generating 8,000+ EPS all together. Without fixing,
the system would ignore more than a half of security events. To ensure the correct functioning
of the solution, the company had to purchase additional licenses extending the load threshold.
Furthermore, the SIEM consultants filtered thoroughly both events and flows coming from all the
log sources to improve the system’s general performance.
Mistake 4: Overlooking deployment gaps
Even a well-designed architecture cannot guarantee a SIEM system will be properly deployed.
Though the deployment process isn’t rocket science, security administrators should check that
the system components and licenses are activated appropriately to ensure the solution
functions correctly.
Case 1: A bank deployed a SIEM module to monitor network device configurations but it didn’t
operate for an unknown reason. Analyzing the solution, a SIEM consultant discovered that a
security administrator activated the license incorrectly, which disabled the entire module. To fix
the issue, a SIEM consultant had to redeploy the module in a virtual environment, reactivate the
license, then to reconfigure it according to the bank’s requirements.
Mistake 5: Neglecting system configuration requirements
SIEM solution configuration is another important aspect to consider during the implementation
phase. Misconfigured SIEM systems cause performance issues that impede security event
processing and analysis. There can be the following misconfigurations:
10 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide