SIEM Primer:

Editor's Notes

• #4: No “incident”, not “intelligence” (open or otherwise), not anything else.
• #7: Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
• #8: Security Information and Event Management = security-relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.Log management = comprehensive log collection, aggregation, original log retention; analysis; presentation (search, reporting, visualization); related workflow and relevant content.
• #10: What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
• #14: Gal: “CISO thinks that SIEM opportunity cost is too big; spend $100k on SIEM vs spend $100k to solve a dozen problems”
• #16: Figure OutCustom StuffTunedRightAdapted
• #19: Maybe inheritedDoes everybody need a SIEM?Do you need a SIEM?Are you ready for SIEM?Do you want a SIEM?
• #22: The previous version “SANS Top 5 Essential Log Report” (you can still get it at SANS site) is being updated by the author. Here is the draft that you can use today.1. Authentication and Authorization Reportsa. All login failures and successes by user, system, business unit – must have login success logs, not just failure!b. Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accountsc. All logins after office hours / “off” hoursd. Users failing to authenticate by count of unique systems they triede. VPN authentication and other remote access logins (success, failure)f. Privileged account access: logins, su use, Run As use, etc. (success, failure)g. Multiple login failures followed by success by same account – needs to have correlation for that2. Change Reportsa. Additions/changes/deletions to users, groups – even a trend on user additions across systems would be usefulb. Additions of accounts to administrator / privileged groupsc. Password changes and resets – by users and by admins to usersd. Additions/changes/deletions to network servicese. Changes to system files – binaries, configurations – likely needs a list to rung. Changes in file access permissionsh. Application installs and updates (success, failure) by system, application, user 
• #29: Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.