.

SIEM and incident response

<<

munch137

Newbie
Newbie

Posts: 7

Joined: Fri Feb 20, 2009 3:19 pm

Post Fri Aug 28, 2009 4:06 pm

SIEM and incident response

Has anyone had experience in utilizing their SIEM solution as part of incident response? I'm looking for systems that go beyond SEM and log aggregation/archiving. Something like MARS, eIQ, QRadar, ArcSight, etc... Comment on ease of use, time it saved, etc.  I'm trying to build business cases for SIEM for customers under PCI and GLBA.
MCSD, CISSP, OSCP - I just hacked your computer and ate all your cookies
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Sat Aug 29, 2009 9:34 pm

Re: SIEM and incident response

Have you researched any ROI documents from these solutions?  This may give some hard facts as well.  Also, you may want to ask a third-party vendor(s) for this information as well since they probably have a vast amount of customers that have bast information with them.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Sep 06, 2009 11:45 pm

Re: SIEM and incident response

I use it MARS and I like it. The real advantage is being able to quickly find potential incidents and the associated events. I don't have any ROI numbers or anything but it saves me a LOT of time.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Salvalagio

Newbie
Newbie

Posts: 4

Joined: Sun Oct 19, 2008 2:15 pm

Post Wed Jun 02, 2010 2:06 pm

Re: SIEM and incident response

Hi there,
to really go beyond, start thinking about create rules that can say something to your company. Something like: If you could generate incidents from diferent logs and prove a fraud by combining them, you are in the right path. But always keep in mind to be focused where your company does the money or loose the money.
From there you can attract managers and directors attention. I've done this way and now everytime we detect an incident we are heard.
And no matter wich tool you choose to be your SIEM, the response quality is the object to be achieved.
As an example: If you get hit by a DDOS, your SIEM will not be able to handle so much trafic logs from the firewall and the same will happen to your IPS/IDS. But if you can say: we are loosing money, because I got multiple logins to our sales portal using the same userid/password and the responsible for this userid was fired 3 months ago.
This will attract their attention for sure!
<<

crossover

Newbie
Newbie

Posts: 21

Joined: Thu Apr 01, 2010 1:39 pm

Post Sat Jun 05, 2010 3:28 pm

Re: SIEM and incident response

Well I use Envision and Arc Sight. I would say Arc Sight is far better product than any other SIEM in the Market ( you should check with arc sight for various tools/appliance they offer  But it has to depend lot on your company budget and needs.

SIEM gives you a true picture of how your network is being used, and by whom. It independently monitors your network to verify security policies, to generate alerts for possible compliance breaches, and to analyze and report on network performance. There are 3 core areas.

1 ) Simplying Compliance – Produce targeted compliance reports for regulations
   and internal policy
2) Enhancing Security – Perform real time alerting analyze security incidents.  
   Conduct detailed forensic    analysis.
3) Optimizing IT & Network Operations – Monitor and identify issues across a
   wide range of IT Components
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Jun 15, 2010 7:08 am

Re: SIEM and incident response

munch137 wrote:Has anyone had experience in utilizing their SIEM solution as part of incident response? I'm looking for systems that go beyond SEM and log aggregation/archiving. Something like MARS, eIQ, QRadar, ArcSight, etc... Comment on ease of use, time it saved, etc.  I'm trying to build business cases for SIEM for customers under PCI and GLBA.


I'm a big fan of OSSIM which uses a slew of open source tools, Snort, Nagios, OpenVAS, etc., and one of the main reasons why I like it is that you could easily program slash tailor it to do what you need it do it unlike other closed source (Windows) applications. With that said, SIEM for incident response means little if your staff isn't vigilant on monitoring what is going on. For example, let's imagine a new 0day on the market. Most SIEM's, IDS' (which are the core of SIEM anyway), IPS, etc., won't have the proper signatures to detect what is going on. An event will solely be an anomaly. Is your staff vigilant enough to investigate further?

With OSSIM, SIEM goes a little further in my opinion. Not only are you capable of the typical "assessments" you can use it to alert yourself and tailor responses. E.g.: If EventA then Perform ActionB it's all a matter of know how and this could be said for most SIEM's to a degree. I so happen to like OSSIM because of its *nix based root. This allows me to do things like create ssh session keys, create rules on the fly and have those rules pushed to other machines.
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Tue Jun 15, 2010 10:30 am

Re: SIEM and incident response

Has anyone ever used the SIEM (NitroView Enterprise Security Manager (ESM)) or QRadar?  It seems like SIEM can help get an organization SAS70 certified.  It was noted that "SIEM gives you a true picture of how your network is being used, and by whom. It independently monitors your network to verify security policies, to generate alerts for possible compliance breaches, and to analyze and report on network performance" but has it ever overwhelmed anyone here with false positives?
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

malvara

Newbie
Newbie

Posts: 1

Joined: Tue Sep 07, 2010 5:31 pm

Post Tue Sep 07, 2010 5:39 pm

Re: SIEM and incident response

I've actually looked at a couple of solutions including ArcSight and RSA.  They both have similar capabilities, but the downside to both of these is the cost.  I'm currently testing out a vendor named HAWK Security Network Defense which has the same, if not more custom/correlating capabilities.  One of my friends referred me to them.  So far I've been pleased with their proof of concept, and price wise, they're not event half of what the others cost.  Hope this helps. 
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Tue Sep 07, 2010 6:27 pm

Re: SIEM and incident response

Anyone have experience with LogRhythm? Or has anyone tried to "retrofit" Splunk into behaving like a SIEM?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Sep 08, 2010 8:33 am

Re: SIEM and incident response

Splunk is great!

I use Splunk daily. It is very intuitive once you get it installed and running. I am still running version 3 b/c you don't get alerts with the free version of 4.*, so what I am about to say may not be the case with the most up to date version, but it can be a little slow depending on your configuration. I have Splunk reading roughly 1200-2000 files worth of syslog data, and it takes anywhere from 5 mintues to 20 minutes for an event to show up in the interface. So, its not "real-time" and it doesn't do correlation like ArcSight, but its a great option if you don't have the money that ArcSight costs...
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Wed Sep 08, 2010 8:12 pm

Re: SIEM and incident response

Just an observation for the folks that are debating between the tools that are commonly viewed as the top tier (Arcsight, envision, etc) and "the others".  The top tier systems will be costly out of the box, but if your organization doesn't have heavy technically skilled resources in house it might be worth it.  The platform vendors spend a significant amount of time and energy trying to make their systems "plug and play".  They'll have modules/plug-ins that will make them work with most conceivable devices (OSs, network devices, vulnerability scanners, GRC, etc) so they are easier to roll out and maintain.  The "other" systems can be just as capable and powerful, but they can be a bit more involved in getting fully deployed and functional especially in large enterprise environments.  For organizations that have the proper staff this can be feasible, but for folks that try to do SIEM on the cheap with a staff of security generalists they can be playing with fire.
Last edited by pseud0 on Wed Sep 08, 2010 8:14 pm, edited 1 time in total.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software