Security Information Event Management (SIEM) Part 2

Its one thing to have lots of events pouring into your SEIM server but what do you do when the data flashes by so fast you can’t read any of it? Well you create filters of course if you don’t want to use the canned filters that come with your SEIM product or if the canned filters do not catch what you want to see.

The problem with creating your own filters is you have to know exactly what events to look for. I always start with the canned and then try to see what does come through and use those parameters to create my own filters. Unfortunately this time there was not a canned filter that worked so I had to let the flood of the “ANY ALERT” wash over me and pause the onslaught periodically to see what was coming in and if it correlated to anything I was looking to filter out.

This was successful but it took a while and number of test filters until I figured out what I wanted to be in each filter. Now some people, probably in the previous paragraph, were mumbling about reading the instructions but I have not found that you should do that until you get stuck. You’d be surprised what your own ingenuity will figure out when the instructions don’t lead the way. Besides with SEIM the instructions only discuss the how not the what to monitor/filter/correlate.

Security Information and Event Management (SIEM)

Just starting to sink my teeth into Security Information and Event Management (SIEM). Never thought I’d like building the haystack before I started looking for the needle. There is quite a lot of information logged about some simple events that I thought would only touch one system. It is interesting to see all the things that happen under the hood and all the possible correlations you can draw when you finally take a look. I dont even have all the infrastructure on the network dumping log files into the SEIM yet it the screen flashes by. Hoping to put into practice some of the information that gets discussed when RSA comes by to do demos. This is intriguing and enjoyable. I always love new puzzles.

ADManager Plus Is a Good Tool

Today I’m working with ADManagerPlus in order to create efficiencies for the Service Desk team buy leveraging the User Creation templates. This is a nice feature when used with the ability to delegate specific AD access to Service Desk techs. When you give a tech the ability to create users and they leverage the template it not only frees up the server team it provides a way to automatically enforce naming standards and user permissions. This is the first time I have used a ManageEngine product and it has been very useful so far.