How to successfully deploy a SIEM solution?

How to successfully deploy a SIEM solution?

It is a fact, many SIEM solutions have a common destiny with home trainers. They are purchased with excitement, with the highest expectations but, though the investment can be rather important, they frequently end up underused, not to say unused.

The main cause is a lack of preparation. SIEM solutions can appear complex and “user-unfriendly” whereas it is actually easy and very effective if you process with the right method.

In this article, I am happy to share with you the best practices for a hassle-free SIEM deployment.

 

What is the process to deploy a SIEM solution?

The success of a SIEM deployment relies on a phased approach that IT Security Managers and CISO must adopt and apply. In this article, we will cover the different critical steps to deploy SIEM technology to make it a profitable investment for the organization.

 

Phase 1: Upstream work

It consists in 3 main tasks that must be carefully run in the organization by the IT security team.

  1. Define the security attack scenarios that you would like to test
  2. Define the types of events that you would like to monitor
  3. Define the types of reactions that you would like to deploy

Note that this is a “high level” planification process.  It does not consist in documenting the exact event IDs of the Active Directory.  The objective is to document the various types events corresponding to a scenario. For example, if you would like to protect from a brute-force attack, you need to test the scenario with the authentication events failed and the authentication events approved.

Furthermore, the response delay must be defined too.

 

Phase 2: Upstream tasks to run in your organization

The deployment of the SIEM is then rather simple. It goes through the following steps:

  • Installation of the appliance
  • Basic configuration : NTP, OTX connection (information feed about the ongoing attacks and security threats)
  • Configuration of the log sources
  • Identification of the assets to protect and deployment of the remote agents if necessary
  • Setting up of vulnerability scans for the assets to protect
  • Setting up of the availability monitoring for the assets to protect
  • Configuration of the network traffic to monitor
  • Configuration of the dashboards and alerts according to what is defined in phase 1.

 

It is important to point out that this is an iterative process. It is run first at the installation and it must be reviewed on a regular basis. The operational feedback allows the configuration fine-tuning which make the whole difference as the infrastructure and the threats are constantly evolving.

Do you have any question regarding SIEM technology?

Nellsoft can help you at every stage, from the auditing to the deployment and the operation of the solution. Please contact us, we will arrange an appointment to discuss your needs.

«

Leave a Reply