You are in lucky. You have an open minded DBA who supports security as a necessity. In my point of view you should start with small things, such as:
- Login Errors correlated with network attackers;
- Stablish a network flow of data and start to understand your network, backup routines and other jobs;
- Try to associate badge systems with network logins without VPN.
- Associate system navigation with non-standard working hours.

I believe with this brief rules, you can start doing your point.

Hope it helps

Hi there,
to really go beyond, start thinking about create rules that can say something to your company. Something like: If you could generate incidents from diferent logs and prove a fraud by combining them, you are in the right path. But always keep in mind to be focused where your company does the money or loose the money.
From there you can attract managers and directors attention. I've done this way and now everytime we detect an incident we are heard.
And no matter wich tool you choose to be your SIEM, the response quality is the object to be achieved.
As an example: If you get hit by a DDOS, your SIEM will not be able to handle so much trafic logs from the firewall and the same will happen to your IPS/IDS. But if you can say: we are loosing money, because I got multiple logins to our sales portal using the same userid/password and the responsible for this userid was fired 3 months ago.
This will attract their attention for sure!

Hello Sharabh,

If I really understand your question, you are searching for papers to guide you in aspects of what steps should be taken to really know your security environment, your deficiencies and security posture.

Take a look into this:
http://www.sans.org/reading_room/whitepapers/testing/guidelines_for_developing_penetration_rules_of_behavior_259

Regards

I worked w/ Novell's Sentinel. It's a great tool, very fast interface and you can set commom commands you migth use during your workday, but it's very hard to get it up and running and also, you should have a specialized person to keep it running smooth.
Also, you have to learn a new rule syntax to get your things done. Yep. it is proprietary query language. This way you may loose something important if you are not very skilled in their querying language.
Another one you can use is IBM's TSOM. It's java, but it is fast. Cool Interface, easy to use, but it isn't very pratical. All rules you can create are based in closed statements, so you can't script your way out to get incidents.
You can set your prefered commands to be a right-click for from lyou, we are having some bug issues here, but afterall it's a good SIEM.

Rodrigo Salvalagio