4 Replies Latest reply on May 12, 2015 9:03 PM by andy777

    Correlation rules

    atul2651

      Hi folks,

       

      I am working on developing use cases for newly built SOC.

      if any one can share possible use cases, normal and cross device correlation rules.

       

      Any help would be appreciated.

       

      Thanks,

        • 1. Re: Correlation rules
          Peter M

          Moved to Business > Event Management (SIEM) for support purposes.

          ---

          Peter

          Moderator

          • 2. Re: Correlation rules
            aszotek

            What data sources are you getting events from?

            Any plans for more data sources to be added to SIEM?

            • 3. Re: Correlation rules
              atul2651

              Hi,

               

              We have windos servers, firewalls, NIPS, HIPS, Arbor, PIM, Web servers, WIFI devices etc.

              As of now no plan to integrate more devices.

               

              Thanks.

              • 4. Re: Correlation rules
                andy777

                Very briefly, I'll give you an idea of how I work with folks to help them develop correlation rules. The first is to realize that the SIEM is a part of a larger process. The steps we worked through to develop this process are:

                 

                1. Identified the first goal: what are we protecting?

                     - Examples:

                          -Systems with sensitive data

                          -Systems responsible for operational posture

                          -Systems that must be available

                          -General assets

                2. What are the risks against these systems?

                     - Examples:

                          -Exfiltration

                          -Denial of service

                          -Malicious uses

                          -Malware

                          -AUP

                     - We just made our "threat model".

                3. How are these risks mitigated?

                     - Examples:

                          -EPO

                          -NSP

                          -ATD

                          -Targeted DLP

                          -NGFW

                     - Just built a "Security posture".

                4. Now we add a SIEM that includes different correlation methods.

                     - Over 200 out of the box correlation rules

                     - Create custom correlation rules that alert directly on all of the threats that you identified and mitigated in the steps above.

                     - Many correlation rules will never fire due to mitigations. They are in place to alarm when things don't go as expected.

                     -Beyond that, use anomaly baselines, risk-based correlation and heavy use of automated threat feeds to focus on the relevant threats.

                 

                Hope this helps.

                 

                Andy