Actually depends, there are many things to be considered and maybe one of them will be the network traffic generated.
Due to the fact that there are multiple methods for data collection you should decide what will be your way forward.
If you have some more specific questions please let me know so we could assist
This might be an excellent question to consult with your networking admins on. In a regulated environment you may have many different zones where servers and/or appliances exist. They (network admins) will likely be able to tell you where to best place it. Likely it will end up in a management network zone/internal core/server zone. The placement of the receivers is more critical as they are the work horses of getting and receiving your events.
I believe they are using Combo Device which all in one so all of the traffic will be passing to that device over the network which is not the best
Wow, you have a tough job and I feel for you.... Did the person(s) buying the SIEM just go " Let's get this magic quadrant product and get Anis to go implement? " Sounds like there has been no planning at all which is a must prior to purchasing something like this.
The buyer should have required a team of "the security guy" plus any the top folks from Network, System Admin, and CISO/ISSO to help with the purchase of this nature.
Not even sure slicing up VLAN's for all you want to cover this is going to cut it. Are you just doing SYSLOG for most things other than applications? you could possibly route the segemeny syslog servers to your single ESM combo box.... but how many EPS ( Events Per Second ) will that generate?
You might want to do some more research yourself which could possibly lead to suggesting the purchase a few receivers and an ADM in addition to what you have to cover what you sated above.
I wish you luck.
Did they just purchase the one combo appliance, so your ESM, ELM, and Receiver are all in one box?
If so - I hope you have a small environment, and a low data retention time frame.
How many Data Sources do you estimate you will have? Data Sources being the individual Servers (Windows/Unix/AIX/Linux), Firewalls, IPS, Switches/Routers, etc. that you will be collecting logs for?
We have individual appliances, with our ESM, ELM, ACE (2 of them - Real-time and Historical), APM, DSM, and several receivers are in one VLAN which has now been moved behind Firewall Segmentation. We also have a Receiver in the DMZ, as well as at our DR site, and the DR DMZ, and 4 receivers at other remote locations with large operations.
We also have a separate smaller implementation in the UK due to EU Privacy issues, with the ESM, ELM, ACE and Receiver's in a Firewall Segmented VLAN. Remote Branch locations have minimal servers to monitor and should not be a concern on bandwidth.
Hey there!!! I feel your pain, as management seems to think you plug it in, turn it on and your done. However, having been in those shoes, I ran into many issues, as I have a environment with 3 separate data centers, branches in 4 countries, and 5 states and could not find any real help. Not even from professional services, as my company didn't pay for that type of support. There many considerations that need to be made, however it's actually pretty simple to get up and running, and build on that. So, the initial setup is important, and you want to start out on the right path.
Ultimately, I created my own deployment plan by utilizing:
- Security Maturity Model
- ITILv3 - https://www.sans.org/reading-room/whitepapers/iso17799/security-controls-service -management-33558
- IR (Incident Response), handbook from SANs -https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handboo k-33901
- ITIL security management is based on the ISO 27001 standard - ITIL security management - Wikipedia, the free encyclopedia
I could provide more assistance, however you seem to missing a VERY important component. Where is your receiver? You need at the very least a receiver and and ESM to have your "SIEM".
Can you please share your deployment plan (high level) if possible?