7 Replies Latest reply on Oct 4, 2016 9:39 AM by rakusust

    SIEM Implementation Planning

    anis.mohd

      Hi All,

      My Company has purchased ne SIEM Appliance (ETM 5600-ELM). I am looking for help in planning implementation of SIEM Appliance. My question is, where or in which Zone I should place the appliance. Management wants to monitor LAN, WAN, Applicationd, DMZ (ALL) using this appliance. Please suggest further. Also suggest if any exact documentation is there for planning implementation if SIEM Appliance.

       

      Thanks & Regards

       

      Anis

        • 1. Re: SIEM Implementation Planning
          alexander_h

          Actually depends, there are many things to be considered and maybe one of them will be the network traffic generated.

          Due to the fact that there are multiple methods for data collection you should decide what will be your way forward.

          If you have some more specific questions please let me know so we could assist

          • 2. Re: SIEM Implementation Planning
            nitron00b

            This might be an excellent question to consult with your networking admins on. In a regulated environment you may have many different zones where servers and/or appliances exist. They (network admins) will likely be able to tell you where to best place it. Likely it will end up in a management network zone/internal core/server zone. The placement of the receivers is more critical as they are the work horses of getting and receiving your events.

             

            Capture99.PNG

            • 3. Re: SIEM Implementation Planning
              alexander_h

              I believe they are using Combo Device which all in one so all of the traffic will be passing to that device over the network which is not the best

              • 4. Re: SIEM Implementation Planning
                rcavey

                Wow, you have a tough job and I feel for you....   Did the person(s) buying the SIEM just go " Let's get this magic quadrant product and get Anis to go implement? "  Sounds like there has been no planning at all which is a must prior to purchasing something like this.

                 

                The buyer should have required a team of "the security guy" plus any the top folks from Network, System Admin, and CISO/ISSO to help with the purchase of this nature.

                 

                Not even sure slicing up VLAN's for all you want to cover this is going to cut it. Are you just doing SYSLOG for most things other than applications? you could possibly route the segemeny syslog servers to your single ESM combo box.... but how many EPS ( Events Per Second ) will that generate?

                 

                You might want to do some more research yourself which could possibly lead to suggesting the purchase a few receivers and an ADM in addition to what you have to cover what you sated above.

                 

                I wish you luck.

                • 5. Re: SIEM Implementation Planning
                  rth67

                  Did they just purchase the one combo appliance, so your ESM, ELM, and Receiver are all in one box?

                  If so - I hope you have a small environment, and a low data retention time frame.

                   

                  How many Data Sources do you estimate you will have? Data Sources being the individual Servers (Windows/Unix/AIX/Linux), Firewalls, IPS, Switches/Routers, etc. that you will be collecting logs for?

                   

                  We have individual appliances, with our ESM, ELM, ACE (2 of them - Real-time and Historical), APM, DSM, and several receivers are in one VLAN which has now been moved behind Firewall Segmentation. We also have a Receiver in the DMZ, as well as at our DR site, and the DR DMZ, and 4 receivers at other remote locations with large operations.

                   

                  We also have a separate smaller implementation in the UK due to EU Privacy issues, with the ESM, ELM, ACE and Receiver's in a Firewall Segmented VLAN. Remote Branch locations have minimal servers to monitor and should not be a concern on bandwidth.

                  • 6. Re: SIEM Implementation Planning
                    pepelepuu

                    anis.mohd

                    Hey there!!! I feel your pain, as management seems to think you plug it in, turn it on and your done. However, having been in those shoes, I ran into many issues, as I have a environment with 3 separate data centers, branches in 4 countries, and 5 states and could not find any real help. Not even from professional services, as my company didn't pay for that type of support. There many considerations that need to be made, however it's actually pretty simple to get up and running, and build on that. So, the initial setup is important, and you want to start out on the right path.

                     

                    Ultimately, I created my own deployment plan by utilizing:

                    I could provide more assistance, however you seem to missing a VERY important component. Where is your receiver? You need at the very least a receiver and and ESM to have your "SIEM".

                    • 7. Re: SIEM Implementation Planning

                      Hey pepelepuu,

                       

                      Can you please share your deployment plan (high level) if possible?

                       

                      Thanks,
                      SP