New to SIEM product.
We are overwhelmed with the amount of data and information and not sure what to look at or collect? Question from experienced users - what information should be provided to the management on the daily basis which can justify the purchase of McAfee SIEM, Daily Malware report, Number of attacks??
Has anyone created a daily run book for the SIEM environment?
Zahid inbox me.
I understand, however keep in mind what the SIEM really is, and how it works. It's just a dumbass box that inhales data. PERIOD.
The genius of it comes from the other components and how they are configured. Asking for the daily run book, is like a first time parent looking for a "How to parent" book. No two environments are the same.
I wish the McAfee SE's and sales people would assist more in this area as this is where people get frustrated and run away from this product.
I have been working with SIEM for about 4 years, in different environments, obviously different versions, however depending on the audience (or set of expectations) the runbook changes or varies. I can show you how to make one using what you already have inhouse, and what come with the SIEM OOBE.
Hope this help...
Feel free let me know if you have questions....
PS... no not a McAfee employee, affiliate etc... I'm just a customer like you.
Well its like you have taken me back into past, Well we purchased SIEM almost 8 months back and seemed to hit a road block because we were looking for the same answer as you are.
What you need to collect is totally dependent on your setup , like what you have installed.
In case you have Web servers you would really like to collect access logs , For a setup with loads of users you need authentication logs, logs from antivirus server etc. Trust me it will take time but slowly you will recognize what your requirement is.
In case you need help feel free to msg me,.
I agree with your comments. It is a river of information and needs to be filter depending on the business environment. We are focusing on authentication logs as it is the door to the network and making sure that correlation rules are in place for administrative access from multiple sites. There should be top picks for the new admin to SIEM from a security eye which may be called a RUN book. This report can be generated on the daily basis to investigate anomalies.
I've had this product for about 2 years now. My suggestion would be to understand why you got the SIEM in the first place. Ignore the fact that there is a lot of data, and understand what data you want out of it. We have a HIPAA obligation, so we created processes and reports around HIPAA. Then there was firewall information we wanted to look at. After that there were other use cases that were created in the Expert Center. Hope this helps you as much as it helped me.
Hi Zahid and Rick
I agree with the comments posted above the answer depends on what you are looking for, but its not really a useful answer I know. I have been working with various SIEM and data analysis tools for some years now, and this question keeps coming back unless you have a specific use case in mind. Keep in mind that the longer you run the solution the more effective it is at trending the huge amount of data that it is processing. This is a key feature that allows one to start to recognise activities that are outside the normal operating parameters of your organisation. Another key concept is that the SIEM is like an alarm system, it will alert you to many issues or potential issues but unless each one is investigated and analysed and then the solution adjusted if necessary you will not get the results that you are looking for.
A first step to see what the solution does out of the box is to browse through all the dashboards that are available, there are many dashboards some of which seem to be duplicated but actually display the data in different ways. which could be useful depending on what you are looking for. Each dashboard can be run as a report for your management, and these reports can be scheduled. I find the executive dashboards are a good place to start. Then look through the compliance dashboards. In each case when you se something that looks interesting you can edit the dashboard and customise the queries to suit your particular needs, then save the dashboard as a custom dashboard for future use and reporting.
There are also content packs that can be imported that will provide additional views into the data. I suggest you stay away from alarms and cases initially until you are more familiar with the type of information that is ingested into the solution. If you setup alarms and cases but do not action them you are defeating the object of being alerted to issues, just like a car alarm in a parking lot is useless unless someone goes over and checks what is going on. When you're ready there are use cases on this site that can help you setup some alarms if you feel ready to go down that route.
To me one of the most important uses for the SIEM is to visualise the activities on the network, I want to see who went where when. Then see if the right person or application connected to a safe place, or did the wrong application or person try to connect to something they shouldn't. These are simplified examples, as I am not trying to write a book here. There is plenty research on the web that can help you further, happy reading