During the last few penetration testing conducted for certain organizations, we have discovered a surprising fact that almost all the SIEM implementation had gaps on the implementation levels. For example, in certain cases, SIEM did not even detect at all when the internal network was conducted with rigorous penetration testing.
I am not saying that all the SIEM implements are as bad as stated; however, it is mandatory to find out if your SIEM implementation is actually as effective as you perceive it.
( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )
How to find out if your SIEM implementation is effective?
Following are few steps you can find out if your SIEM implementation is effective.
Ask Right Questions: One of the great ways to figure out effective implementation of SIEM is to ask certain questions to your Security Team. Some of my favorite questions are as follows:
1. Does your SIEM Dashboard have too many non-actionable alerts? If yes, SIEM is either not monitoring right metrics or alerts are not prioritized, or alerts are not linked to actionable tasks.
2. Does your SIEM display and reports critical metrics on Dashboards?
3. Does your SIEM Dashboard support Drill down Functionality? If no, probably your security team is spending too much time on finding out details of critical alerts which are probably false positives.
4. Does your SIEM detect early sign of Attacks on Internal and External Networks? Some of the early signs of attacks are Ping Sweeping, Port Scanning, Service Fingerprinting and Crawling of Web Apps etc.
5. Does your SIEM detect classical internal network attacks like ARP Poisoning, MITM Attacks, Exploitation, and New Devices connecting to network? If no, probably, your internal networks are at high risk of being misused by internal attackers, malwares viruses etc.
( Watch more : Attacks on Smart TV and Connected Smart Devices )
Conduct a Penetration Testing: One of the great ways to verify your SIEM implementation is to conduct a penetration test on your network. In best case, do not notify your SIEM monitoring team and be ready to get few surprises.
3rd Party SIEM Review and Auditing: Get your SIEM implementation (primarily configuration and integrations) reviews and audited either by external vendors or internal different teams.
Finally create actionable plan to bridge any gaps that you have discovered in your SIEM implementation.
Courtesy: iViZ Blog (Author: Jitendra Singh Chauhan)
Source: http://www.ivizsecurity.com/blog/penetration-testing/how-effective-is-your-siem-implementation/
What are your tips for SIEM Implementation? Share your thoughts in the comments below.
Comments