Book Review: Security Information and Event Management Implementation

brothke writes "With many different types of log and audit data, Security Information and Event Management (SIEM) attempts to fix that by aggregating, correlating and normalizing the log and audit data. The end result is a single screen that presents all of the disparate data into a common element. While great in theory, the devil is in the details; and there are plenty of details in deploying a SIEM on corporate networks. Security Information and Event Management Implementation provides a solid introduction, overview and analysis of what a SIEM (also known as SIM, SEM, SEIM and others) is, and what needs to go into it for an effective deployment and operation." Read below for the rest of Ben's review. Security Information and Event Management Implementation author David Miller pages 464 publisher McGraw-Hill Osborne Media rating 8/10 reviewer Ben Rothke ISBN 0071701095 summary Provides an excellent overview of the topic and will be of value to those reading looking for answer around SIEM As a technology, SIEM provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more. Many firms have deployed SIEM as a method to address regulatory compliance reporting requirements, in addition to using it as a mechanism in which to build a robust information security operation, integrating the SIEM into their security management and incident response areas.

With that, the good news is that the SIEM market is now at a mature state, with numerous vendors competing off each other. Combined with the level of SIEM adoption, it's ready for prime time. But ensuring it works in prime time is heavily dependent upon the requirements definitions and planning.

The books 15 chapters are organized in three parts: Introduction to SIEM: Threat Intelligence for IT Systems, IT Threat Intelligence Using SIEM Systems and SIEM Tools. Part 3 (chapters 8-15) provides the bulk of the reading.

Part 1 provides a high-level overview of the topic and covers information security fundamentals. Chapter 2 details the various threats that the SIEM will be used to defend against. While chapter 3 gets into regulatory compliance, which is a key driver for many SIEM rollouts.

Part 2 details four SIEM vendors. The products the authors selected to showcase are: OSSIM, ArcSight ESM, Cisco Mars and Ounce Labs QRadar. While it is debatable if OSSIM is a SIEM, I am not sure why the authors did not include the netForensics product. This is especially true since the nFX SIM One software is one of the better tools which works on large deployments in which customization is needed.

A mistake many firms makes when considering a SIEM is spending too much time selecting a specific SIEM vendor and not enough time defining their specific security requirements for the SIEM product. The book does a good job of communicating the important of effective requirements definition. An important notion around requirements definition is that it must not involve just IT and security groups alone. Other groups including audit, regulatory, legal, administration, applications and more must be involved.

The book provides examples of real-world advice. A good point made in chapter 11 is the need to realize that a SIEM takes time to develop and is an out of the box solution. The authors note that one should not expect full inventory activity and actionable information immediately. It often may take a few weeks for that information to be normalized into data that is actionable.

Part 3 goes into the various products. In chapter 12, while about QRadar, lists 10 highly detailed questions that must be answered irregardless of what SIEM vendor will be used. These 10 questions (for a formal SIEM definition, there are a good 30 or more that can be asked) require a firm to truly understand their infrastructure and environment, before they deploy a SIEM. The authors note that these questions are meant to facilitate a firm doing their homework around the SIEM. Detailed answers to these questions should not be underestimated, as failure to do them in advance can lead to a SIEM deployment that will ultimately fail.

For many readers, the screen print of a QRadar system settings console on page 278 may be enough to scare them away from a SIEM. This screen, of which there are many in QRadar, list over 50 settings that must be configured in order to effectively use the software. While many of the default settings can be used; firms should know exactly what their settings should be if they want to get the most out of SIEM solution.

In many books, the appendix is often public information which is simply added as filler to increase the page count. The appendix The Ways and Means of the Security Analyst is superb. It details the human element of the SIEM, the security analyst, which is often what will make or break the SIEM. The analyst is the one who will use the SIEM and attempt to make sense of it. A SIEM deployment without good analysts is ultimately useless.

It should be noted that even though the book has the term implementation in the title, it is not really a full implementation reference. It should be viewed as a comprehensive introduction to SIEM. The reason is that when one digs into the deeper layers of a SIEM deployment, there are significant complexities that must be dealt with. Anyone who attempts to deploy SIEM based on this guide alone will likely be disappointed. This is not a fault of the book; rather a reality of the complexity of a SIEM, and the amount of pages it requires to be written.

While the book does have implementation guidelines around the insulation and configuration of 4 SIEM products, the real challenge in a SIEM is the post-installation configuration issues, and not simply the installation. Perhaps the authors will take this as a challenge to create a second volume of this book detailing those issues.

With that, the book does provide an excellent overview of the topic and will be of value to those reading looking for answer around SIEM. Those looking for a solid introduction to the world of SIEM should definitely get a copy. Don't think about a SIEM without it.

You can purchase Security Information and Event Management Implementation from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Mod me down anyway

Wow a book review for something other than Drupal or some generic Packt Publishing book for some technology that 3 people use? I'm amazed!! Was Packt behind on it's monthly check to buy slashvertisement time?

What's the point

[sakdoctor]

Ah, what's the point. People are just going to give their passwords away when asked anyway.

Re:What's the point

Ah, what's the point. People are just going to give their passwords away when asked anyway.

So that you can detect when they do sooner.

Re:What's the point

so what does that have to do w/ a sim product?

MARS?

[vvaduva]

Cisco MARS? The product was always a pos and it has been discontinued for a while if I am not mistaken...why review a dead product?

Re:MARS?

Discontinued only for about a year.
That's the trouble with most any publication. There are lengthy lead times involved with all the editing, proofing, printing and distribution.

The points the reviewer brings up are valid, but frankly, I can't understand how he expects to be taken seriously with so many grammar/spelling errors in his content.

Re:MARS?

there are still plenty of places using MARS.

while sales are stopped, how much longer will it be supported?

Hey look!

It's an advertisement for a book!

where did i leave those darn torture sub-contracts

damned nosey bleeding heart pinkos anyway.

Obligatory ( +3, Incendiary )

More PHP ccccrrrrrraaaappppp?

Yours In Tashkent,
Kilgore Trout, C.I.O.

Self-important much?

Just the title already. I think I'm not going out of my way to buy a title that looks like it's full of freeze-dried buzzwordy bigcorp-and-governmental mumbo-jumbo. For ITsec to fly, it's gotta be practical, not stifflingly formal. The drier the material (or the cheesier, that too), the less likely it is that the writer actually understood what he was writing about. The title already missed the sweet spot by a mile.

netfx

All these SIEMS (including netfx) are great *if* your log files conform to the standard of the SIEM and *if* they support the devices you run on your network and *if* you can get all the logs back to a central location without modifying them in the process etc etc etc. The best SIEM in existence is Splunk - it takes any log format you want, allows you to deep dive on only those events you really care about -- not something 'pre canned' the SIEM vendor thinks is important.

Re:netfx

[brunes69]

QRadar has native support for hundreds and hundreds of log types, and even if it doesn't you can extract whatever custom data out of it you want, on demand.

And Splunk is not a SIEM it's a simple log indexer solution. SIEM is a lot more than a log indexer, it is breaking down the millions upon millions of logs you get today into a data set size that is actionable.

is basic literacy too much to ask?

From a book reviewer? "irregardless" is not a word.

Re:is basic literacy too much to ask?

[Desler]

From here

Irregardless originated in dialectal American speech in the early 20th century. Its fairly widespread use in speech called it to the attention of usage commentators as early as 1927. The most frequently repeated remark about it is that “there is no such word.” There is such a word, however. It is still used primarily in speech, although it can be found from time to time in edited prose. Its reputation has not risen over the years, and it is still a long way from general acceptance. Use regardless instead.

If it is widely used it IS a word despite all the grammar nazis trying to continually claim otherwise.

Strange choice of products to include

[LDAPMAN]

Leaving out both Novell Sentinel and Net Forensics while including MARS and OSSIM?

Re:Strange choice of products to include

...not to mention the SIEM products from TriGeo, Tripwire, Symantec, NetIQ, LogLogic, SenSage, High Tower, etc.

How is this not just (1) a blatant advertisement for a book, and (2) a blatant "industry" book with a few screenshots and "insight" provided by a hack that probably only wrote it to get his CISSP CPEs?

Security is a process, not a product.

Re:Strange choice of products to include

I can understand OSSIM, because there is a free version to try out. Is it a full-featured SIEM? No, but if you have some extra time on your hands and you are not experienced with SIEM or cannot afford a full featured SIEM, I think irt is aworthwhile place to start. MARS is hard to understand unless that part of the book was finished before the product was EOL or the author wanted to cover a widely depolyed SIEM anyway.

Re:Strange choice of products to include

[captainspudly]

OSSIM fits in, and works for me!

Re:Strange choice of products to include

no book can cover every product?

so what is your point?

they had to cover a subset of products, so they chose those... that is fair, no?

Re:Strange choice of products to include

mee threee!

Re:Strange choice of products to include

it is spelled netForensics

Normalizing...

Ironic, isn't it, that this is all about normalizing data yet they can't agree on the name of the discipline (SIEM, also known as SIM, SEM, SEIM and others).

Thanks and a comment or two.

Thanks for the review, Ben, and glad you liked the book.

One point that bears mentioning on your comment about AlienVault's OSSIM - " While it is debatable if OSSIM is a SIEM" - I am unclear where the debate comes in. OSSIM and the commercial variant by AlienVault are clearly SIEMs, there isn't a lot outside of gathering and correlating event and network information that defines SIEM and OSSIM clearly does all that. At the time of the writing I was not working with a SIEM vendor nor were any of my co-authors, so there certainly wasn't an embedded bias (I am now with AlienVault, but that occurred after all writing was complete).

To the comments above, at the time of the initial writing of the book MARS had not been 'effectively end-of-lifed'. The distribution of SIEM products in the world at that time was roughly as follows, which none of the vendors dispute:

  - 10,000 OSSIM deployments
  - 4,000 MARS deployments
  - 2,000 ArcSight deployments
  - 1,000 Qradar deployments

In the MARS section the fate of the product was updated prior to release, but with the size of the install base and the then unique addition of topology information into MARS it was decided to keep it in. Cisco is such a large player in the overall market - and the specific future of the MARS technology itself (as different from the product) inside Cisco is unforecastable by those outside the company (and imho, even by those *inside* the company) - that we still believe that it was an appropriate product to describe (but yes, we did think hard about it when Cisco showed clear signs of losing interest in the product).

Any book on SIEM could not be seen as serious without mentioning ArcSight, leaving Qradar and a slew of other SIEM products to fill the remaining space (without turning it into War and Peace). Qradar we believe is a good example of the remaining products in the space. As someone who is now intrinsically biased I will leave my commentary on other products for other forums.

-best

-chris blask

Re:

[vipeakbecky]

(Trituradora Trituradora móviles crushing machine ball grinding mill )With many different types of log and audit data, Security Information and Event Management (SIEM) attempts to fix that by aggregating, correlating and normalizing the log and audit data. The end result is a single screen that presents all of the disparate data into a common element. While great in theory, the devil is in the details; and there are plenty of details in deploying a SIEM on corporate networks. Security Information and Event Management Implementation provides a solid introduction, overview and analysis of what a SIEM (also known as SIM, SEM, SEIM and others) is, and what needs to go into it for an effective deployment and operation. -------------------- Trituradora Trituradora móviles crushing machine ball grinding mill stone crusher sand making machine crusher impact crusher crusher jaw crusher Molino de bolas Trituradora de cono Concrete Crusher grinding mill cone crusher

search seim

[k8to]

SEIM is about knowing the questions you need answers to ahead of time. The reality is, you don't. You need something that lets you find out the answers you know you have right now.

That's something that can do arbitrary live searches. There's a single largest player in that space, but others will come. Look for them.

Re:search seim

can u make sense of the about comment.

or do u mean i need siem to do that :)

obat alami.net

thank you very useful discussion