Just wondering, how many resources do you use to manage your SIEM? I am talking about everything from running, monitoring and tuning the SIEM. I currently manage athe SIEM by myself. I am talking hundreds of data sources. Example 25 firewalls alone, plus servers (windows, linux), routers, switches, load balancers, etc... I read a document that said you need a SIEM manager along with some SIEM analyst to form your team. Right now we are running at 290K correlated events a day and 115-120M total events per day. Thanks.
Very good question indeed, I think RSA did a presentation some time ago with regards to an Envisin deployment.
I am sitting in the same situation managing the SIEM solution end to end, engaging with the business developing use cases etc.
Whould be great if McAfee can provide a guideline on resourcing a SIEM solution so we can put that forward to management.
Thanks for the response. I agree, it would be great if McAfee would offer a suggested SIEM team environment. Maybe someone from McAfee could respond to this discussion. Sure would help.
Good question and I hope others will respond as this is something that I have been trying to convey to our management and am curious how others are staffed with regards to the solution. I currently lead our team that manages the SIEM systems. We have one analyst as well, so two people total to manage it end to end. It's a definite undertaking to keep it healthy, tuned and to dig into those things that need further looking at. From a numbers perspective we have over 1000 data sources, produce over 700K correlated events per day and ingest a little over 105 Million events per day. We don't run a SOC to monitor continuously so if I had to put numbers on a team size I would go with the following:
2 - SIEM managers (To manage health, build out DS and rule sets, correlation rules, etc.)
2-3 SIEM Analysts (To investigate events, alarms, monitor and report)
A team of 5-6 would be a good start, but this also depends on your SIEM size and needs I guess.
We installed NitroSecurity about 3.5 years ago. We have 180 Windows computers, 60+ network devices, one firewall. No Internet access. No Email access. It is an Industrial Control System. All devices run 24x7x365.
Correlation Events : In 2010 30K for the year. In 2011 160K for the year. In 2012 600K for the year. In 2013 1.5MM for the year. So far this year, 620K.
The first year, it was overwelming dealing with the Correlation events, this new device, and all the events it made us aware of. I recall spending 1/4 to 1/2 of my time trying to get my head into figuring out where to start. My boss said to just start "fixing" items one at a time.
The Second year, I learned that Correlation rules get added and change when you upgrade. By then I could tell the difference between False alarms and real alarms. Within days after an upgrade, I could reduce the number Correlation Alarms down, by changing them with appropriate filters and Variables.
The third year it became apparent, anytime the Application people upgrade their applications, they make mistakes and overlook things; Yet - Nitro now tells them within 10 minutes as opposed to finding out weeks and months later.
Now, we would not want to have any part of any network without an SIEM. We now can plan changes with a good understanding of reality, which enables us to not disrupt unnecessarily. We now know when things have gone wrong before the users do.
As far as staffing, I don't think the number of people is what Mgt should focus on. I think it's the experience and training of the people that's more important. A SIEM Analayst is not a junior position. It is not a development position. To be successful, the person must understand Networking, Firewalls , Microsoft OS / AD / DNS along with paying attention to SANS recommendations along with the applications being used. The person must also be good at dealing with vague data and searching the Internet for how things are really done. The person must also be good at creating documention. Once items are solved, staff must be made aware of what not to do. I find most people just don't have a good understanding of Microsoft under the hood items.
When I read in this community the huge numbers of devices and events, I feel your angst. Yet, I remember my angst.
Remember, "That which does not Destroy you, Makes you Stronger!"Message was edited by: tlcrain on 3/24/14 11:21:10 AM CDT
I partially agree, however, you have to consider the resources. Especially for a complex system like a SIEM. In my case and others, It's a one man show. We have about 1.8 million correlated events a week. Lot of noise and this has to get looked into. One person isn't going to cut it. I'm curious to know your team set up. Thanks.
In my situation, ( Industrial Control System ) , there is not as much change as an Business IT environment. There is no E-mail. There is no Internet. Users can not copy files or install anything. I spend about 15% of my time, on SIEM ALARMS,Queries,Reports, upgrades etc. 50% is spend on investigation / changing / documenting / responding to Alarms in the environment being monitored by the SIEM. But this is after 3 years of resolving nusance alarms withing a very stable environment with only 180 windows computers. No one else touches the SIEM but me. The ALARMS and reports I've setup go to 3 others. Some they deal with and some I deal with. My goal is to get to NO corrleation events. This weekend we got 6. Wonderful....
I know more monitored devices means more time on the SIEM and underlying Investigations/changes/documentation. Takes me about 15 minutes per device to add and ensure it's working. So if I had to add 30 devices a day, that's all I'd be able to do.
My gut feeleing is that if I had to take on 10 times the number of devices in an environment with e-mail and Internet and users installing software and copying files, I couldn't ever get close to 6 correlation events just due to the amount of changes in the monitored environment.
Thanks for the response. We have email, Internet, etc...... One of my biggest challenges is when I open a few tickets to investigate issues, I find myself working with Network, Server systems, etc... This calls for a lot of time of coordinating and determining the impact if any. 117K correlated events at 11:00 a.m. so far today.
When you have as much correlated events, there are probably a lot of "false-positives". For example in the "out-of-box" configurations, where are Active Directory Controllers configured as a data sources, there is a lot of events like "the same user logon from different computers" and so one.
If you have similar situation you probably should add (for example) AD Servers system variable, then copy that standard correlation rules, then - apply the additional filter (destination ip not in AD Servers), disable standard rule and enable new rule. So: tunning, tunning and tunning