Tips To Buy And Implement SIEM Solution

Use following checklist to make sure you are on the right track to choose your first or next SIEM solution. The whole process takes 1-4 weeks based on your dedication and vendor availability. Remember the worst thing is being in rush in five four steps:

  • Write a plan

Write down all the steps you anticipate and maintain documentation and progress during all stages. Put rough deadlines and start communicating to stakeholders.

  • Justify the need
Security Information and Event Management (SIEM) Implementation
Effectively manage the security information and events produced by your network…

This will help you have a better understanding of criteria later but generally, i would recommend this for any type of information security project. This step will assure you are not going to have SIEM just because it’s out there or even just because you have some spare money and other resources to spend.

You would ask yourself or your IT team, even your manager who has assigned you with the task: why we need SIEM? What type of problem is going to be resolved? What our world will look like after SIEM? Is this for sake of compliance, customer expectation, market urge, or as an enhancement to visibility of your environment.

  • Scope

Scoping gives you more understanding of the environment. Specifically with a concept like SIEM, the moment you start thinking about scope, you realize how much you might be behind the preparation of your environment.

  • Budget based on Risk

Budgeting based on your pocket is like overeating by intention when you know it’s bad for you. Budgeting without risk consideration will neutralize all the other steps. I consider this step so fundamental and ignoring it shows there is no understanding of the whole subject of information security within an organization.

A simple risk assessment can give you the right budget, but unfortunately that assessment most of the time does not exist so you have to create something from scratch just to support SIEM budgeting. We need to assess risk of not having enough visibility and detection in certain areas of IT operation and evaluate the risk factors. Once you start this process you will realize how most SIEM solutions in the market right now are naive and designed with a narrow vision.

  • Define criteria

During previous steps you should be able to compile criteria list. The more precise criteria, the easier to choose vendors initially. Without criteria there is no meaning to even browser a vendor website. With having criteria in hand, you easily check them in and out in next step.

You should compile a list of things like what is the primary objective, compliance, risk or threat management, architectural things like is it going to be managed or self, on-premises or cloud, interface and performance, type of log and data collection, integration considerations, correlation capabilities, intelligence feed, how about remediation and response and…

  • Identify targeted platforms

First you need to list SIEM vendors, there are tons of them out there and don’t think that good SIEM is a matter of how long a company has been doing this or how the brand is known, although this could be part of your criteria because vendor reputation is somehow a big factor, but do not confuse it with brand, not all know brands are necessarily better. Research and learn from vendors, we need to read all the white papers they provide and if they are not willing to share via website, it is not a good sign but don’ be discouraged and go for a meetup. Here is an staring list of vendors/solutions:

AlienVault, Cygilant, EventTracker, HP, IBM, LogRhythm, McAfee, NetIQ, Proficio, Rapid7, RSA, Solarwinds, Stratozen, Splunk…

…remember all are good and all are bad, it depends to your criteria.

  • Meetup with vendor
Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan
Any good attacker will tell you that expensive security monitoring and prevention tools aren’t enough to keep you secure…

Nothing is better than a short call, if you get the signal, go for a video presentation and have them demo. Never direct vendor, let them manage the meeting and content, listen to their question and start your evaluation from first call. Most vendors do not reveal anything alerting with email or regular phone calls so insist to have a demo and meet their technical team. Ask about your criteria but in the meantime listen to what and how they reveal. Based on your situation you may be more focused on how they execute or help you setup and run on-premises.

  • Lunch trials

Trials are best time and tool for evaluation, also it’s a sign of how much a vendor is comfortable and confident. I personally would not even thinking a solution if they are not willing to give a chance to try. Trials are not just for finding glitches, they are mainly to refine your criteria and turn expectations to real world scenarios. Always let vendor know if you go for a different one, you will never know what is going to be the next time to call them so be professional and respect marketing manners.

  • Evaluate

Now it is time to evaluate. Materials, meetings and trials, most of the times you get the answer by first 3-4 days of trial. Justify if you need to compromised any predefined criteria and never hesitate to re-define and refine new one but never forget justification. You have to sometimes re-assess a risk if you need to revise your criteria.

  • Prepare environment

Jumping in implementation without preparing your environment is not a good idea. Now it is time to go for all details and technical requirements which you should have planned for during scoping. Prepare VMs, Cloud apps and smallest things like SNMP and Windows Event Forwarding, this is the time for your technical team to show off. You should not have any problem if scoping was rational, but most companies have multiple issues in this stage because of lack of scoping in early stage.

  • Implement

Meet the deadline and kick off, this is going to be a big milestone with your IT Security operation.

  • Tune

Noise is the nature of SIEM so consider tune up based on size of the company and/or scope of system. This should be part of your baselining process anyway (if you have), without proper baselines your team will be confused and stresses for a longer time.

  • Leverage

What is going to happen after this is what you should have seen and anticipated during your planning phase. Whether your team is going to tackle other tasks by adding SIEM, or it is going to be independent or… all depends on your plan. Never accept something from a solution/vendor as a ‘want’ or good to have, unless there is an actual ‘need’ for it.

Stay tuned for explanation of a fully native free SIEM, security information and event management system, a solution for 80% of environments!

Commitment: The Sole Reason Behind Hackers Supremacy

Would you put more complex firewall rules when internal nodes are vulnerable due to initial default insecure setup, or setup numerous security tools while setting up more and more insecure nodes at the same time?!

the mechanic and dynamic of hacking is blurry to typical IT guru…

  • Are Hackers ahead of entire IT security industry?
  • Why the balance between two parties of has been shifted a long ago?
  • What made a big gap when there was not such a huge difference in 90’s?

it’s a false hope believing that sunny side of the cyberspace is controlling the cyber-planet! Malicious hackers are way ahead and that’s why we spend so much time on safety rather than focusing on legitimate needs of cyber-society!

Hacking is the art of creative problem solving…

Many factors are involved in Hackers Supremacy: knowledge (original or fake), intelligence, team work with genuine sense of community, nature of operation, goal and its outcome (destructive or constructive), originality of source code… but I have noticed there is only one effective factor as the most significant to matter, something that took hackers’ community to a totally different level of control, and changed the balance between Jedi and Sith forever: Commitment! Hackers are simply more committed to do their job!

prestigious, globally-recognized, vendor-neutral exam for information security professionals

We send our top IT talents to learn hands-on hacking techniques, encourage IT administration to deep dive into dark web, and all company crew to learn security essentials, and still it takes one man to bring the entire company technology infrastructure down to knees, all because the mechanic and dynamic of hacking is blurry to typical IT guru. Here is an analogy to human body: consuming more and more vitamins and hope to have a healthier cells physiologically, while body is creating cancerous cells. That is ignoring root cause and going after fixing the issue without considering symptoms! But result would be misleading because even with cancer, still vitamin C has a positive effect on the patient!

focusing on defining more complex firewall rules, versus Not setting up vulnerable nodes with default insecure configuration!

explore quality requirements of software architecture

Software with every piece of code is the foundation of any modern computerized system (basic ha?) and that’s where we have problem: creating vulnerable code at the first place, and that’s where “Commitment” comes to equation: software community wants to release, in rush, with limited to zero knowledge of security, dealing with very high-level and complex API, no test, immature or illogical software development process, no code review…but hackers are committed to review developers code for them, and they find those cancerous cells inside body of the software!

Even worse, while hackers are committed to find and Exploit those software flaws, developers are committed to release newer versions with more focus on functionality rather than fixing the foundation. No doubt it is tedious and sometimes impossible, because if the flaw is within the design, there is no time for developer to step back and fix something natively insecure, to the point that sometimes developers prefer to completely leave the insecure code behind and go for a brand new baby code, where they fall into same illogical development process, or even they may use some boilerplate codes from previous practice (more likely insecure artifacts).

focusing on setting up numerous security tools in an environment, versus stop adding insecure nodes to the same environment!

Code Review is the best way to get ahead of hackers and of course that’s software developers’ mission to culturize and popularize the practice in earliest stage of coding, and for IT administration, they need to fully understand the mechanic of software they are using. Remember that today’s IT crew are more like software operators, so it is reasonable to have operators fully aware of the machine they are driving.

Five signs IT is overwhelmed with operations

There are signs before your IT department faces a disaster or worse, jeopardize your business by affecting tech operations in different departments. Those are signs of an overwhelmed IT so let’s take a look at common signs and symptoms:

Information Technology for Management: On-Demand Strategies for Performance, Growth and Sustainability
those who are working, or planning to work, in the field of IT management must always be learning…

1) Lack of resources
Whenever your IT staff are always talking about lack of resources be aware that lack of resourcefulness is the main case. IT supposed to create and generate virtual resources, right? We do not use shovel with help of our muscles to search within a haystack of zeros and ones, IT does not touch 0s and 1s anymore. IT creates or simple buys solutions so what is this lack of resources concept? IT does talk about lack of resources because they are overwhelmed with time and resource management, that’s a sign of being unfamiliar with tools and technique so they got frustrated and that’s not good for your business operations.

2) Tool oriented
Tools are good but tools obsession and jumping from one tool to another is a sign of overwhelmed IT. Of course IT uses tools with almost every piece of tech operation and regardless of how they are ignoring native accessible tools and always asking for more and more commercial tools, the fact that they jump from one solution to another without fully understand it, or even shopping with no clue at the first place, is totally a sign of unorganized IT which finally ends up with overwhelming and frustration.

3) Deadlines
No deadline is met, no surprise? You are not alone but imaging the most logical, supposedly organized people in a company become the most unreliable people in terms of meeting deadlines and project management. Regardless of the reason which is IT typical helplessness to time management, not being able to meet multiple, sometime any of deadlines is a sign of overwhelming by subjects which are either unknown to IT, or just out of the scope of their expertise. So what is happening is that they push and push and push to the moment that you are overwhelmed and give up.

4) Fading real IT mission
This has been a global issue within almost all non-tech companies’ IT department. IT main mission is supposed to be supportive to business and for that reason IT needs to understand business needs and flow, but they ignore this and main mission simply fades away from list to-dos.
You could eliminate all these overwhelming factors from IT operations with very simple techniques which I am going to explain later in a different article.

Five Reasons to Start Your SIEM Initiative Today

Regardless of how SIEM in today’s cybersecurity marketing campaign is driven mainly by Compliance, which solutions is the best, and whether it should be managed or on-premises, Security Information and Event Management is conceptually accepted among security professionals so here’s my top reasons to consider SIEM implementation as one of your cybersecurity initiatives:

  1. Another tool for Management
    Seems obvious but not many realize SIEM is a management tool at the first place. It means it does not have and does not need to have active o pro-active capabilities. All it has to be capable of, is ability to deliver right Security Information from the right Security Event to the management, even not necessarily security management.
  2. It is all about visibility
    Remember SIEM itself does not provide visibility but it is a technique to take “Visibility” to a different level. So if you already do have Visibility over your network and systems, then SIEM is like an interface to enhance the way you see events, not really more revealing facts about security of your systems.
  3. Correlation is heart of the matter
    The main purpose behind a functional SIEM is ability to correlate events, otherwise the main purpose is ignored by solution designer or you. any security program knows in real word, there is no meaning behind each security event unless being correlated and overlapped with other events, and for that matter, SIEM is where you should be able to harmonize your flow of security information; needless to say, it is the job of SIEM solution provider to make sure system is capable to direct you.
  4. Combining older systems
    Not all users of the SIEM are genuinely looking for this management system just because of its native features. One of the main drivers to upgrade to SIEM has been presence of older SIM and SEM. So whether you are forced or just want to combine two management systems, SIEM is the most popular way of SIM and SEM integration.
  5. Intrusion comprehension
    This is totally different than intrusion Detection, Response or Correlation capability and it is about origination of incident and the level of intelligence behind root causes and indirect role of systems to shape the final tangible incident. This is absolutely one of the hidden benefits of a well-designed SIEM within a well-managed security operation.
    There are other benefits like Auditing, Policy enforcement validation, security certification…which could be addressed potentially and based on how you are going to execute your SIEM. But remember the main essence of your SIEM is in the details of operation, and none of the benefits would come out of the box with any solution in the market.

Privacy: Does Cyberspace Leave Any For Us?!

What does ‘Privacy’ exactly mean to you, and is there anything left for us in cyberspace?

What does ‘Privacy’ exactly mean to you, and is there anything left for us in cyberspace?

‘Privacy’, ain’t mean anything to you? Actually you are lucky if you are young enough to accept that Cyberspace is an integral part of our living (perhaps you might even believe it is the main part of living!), but imagine one day you wake up and you are part of the Cyberspace with old definition of Privacy”, then you would be shocked and even paranoid about private aspects of your life, I bet you already are!

Privacy does not have the same definition, or expectations of 50 years ago, or even 10 years ago. That type of privacy does not exist within boundary of the Net, it simply does not apply to cyberspace anymore and the main driver for that is the way internet applications are setup and utilized, which force us to forget about privacy otherwise we won’t get the expected experience of the Net Applications.

Today’s Privacy means adversaries shouldn’t be able to get into your private life, otherwise all Net application providers have and supposed to have access to most private part of your life. They require you to disclose as much as possible or either you would be denied completely, or you won’t get particular key services of an online application. Note that you cannot necessary blame software in this case, as applications are where the limitation to privacy natively appears. An example is any web software which takes care of your filing taxes, or credit score… the application requires you to disclose ALL information to software, otherwise there is no value to application when any piece is missing, so you have to trust and maximize disclosure.

How you are going to talk about privacy when they know you more than yourself!

Privacy is simply collective and relative, there is no absolute unless you decide not to have any online presence, which is impossible because at least your bank knows about you and their systems are online. Privacy is collective but not selective, means some people know you better than yourself and some SHOULD NOT (doesn’t mean that they DO NOT!) but you cannot select who is doing what with your data out there, unless totally being departed and detached from society!

Privacy nowadays is the state of being only worried about adversaries, hackers and criminals, but not concerned about how application providers are with our your information. remember, even with regulation like GDPR, we ‘may’ be able to reduce exposure of our data, but we never able to erase information about ourselves, we perhaps can ask a data processor to forget about our data inside a database (assuming data never got into hands of bad guys) but we cannot ask them to forget about intelligence behind our data.

An example is when the intelligence of how you shop and what you shop is created within “cloudy sky of numerous Net applications“, no matter if you personally delete every single record of your shopping transactions within a website. So relax and change your definition of Privacy, you also may want to totally ignore VPN and anonymous web browsing which I will explain later Why you usually do not need them.