Security Information and Event Management, or SIEM, is worthless unless you are precise in your data collection. The old adage, garbage-in garbage-out, or GIGO, continues to hold true. Successful SIEM deployments are built on rock solid log management and real-time transport. What do we mean by “rock solid logging”? It means you are efficiently collecting the data you need and not getting bogged down in the superfluous data you don’t. This requires you to properly archive data for compliance and incident response while feeding pertinent real-time data to your analytics platform that should ideally be purpose-built for SIEM solutions.
How can you make sure your logging is up to par? Simple. Make sure you, and your organization, do these five things.
Properly Configure Windows Audit Policy
We see this less often than we used to, but we still find people wondering why their network isn’t generating logs. The simple answer is that Windows Audit Policy needs to be turned on, and often times users need to go in a select want events they want generated. In other words you have to switch on event log generation in Windows environments. You can learn how to do that on Microsoft’s TechNet.
Once on you need to tune the policy to your log collection needs. Our Snare Agents can do that automatically by checking a box in settings, you can also find Microsoft’s recommendations on there website.
You may notice Microsoft doesn’t recommend collecting everything. While we understand the temptation to put up a catch all, you will bog yourself down in copious amounts of worthless data. Our Snare experts are happy to walk through your audit policy with you as needs easily vary from company to company.
Secure and Reliable Log Transport
There are only three protocols for transporting logs from A to B. UDP, TCP and TLS each have their own pros and cons. In an ideal world everybody would use TLS, and if you are sending sensitive data, or transporting across an untrusted network, you better be using TLS.
It used to be that all log data was considered trivial, nice to have but not essential, and UDP was the default protocol for transporting logs. UDP can lose upwards of 10% of your logs and that network bandwidth you think you’re saving can easily be saved with output driven filtering. Rather than transporting your logs with a “fire and forget” mentality, implement logging software that efficiently and securely transports logs without introducing the potential of critical logs being lost while traversing your network. Exceptions to these best practices are rare, and odds are your organization should be using TLS or TCP. Take the time to make sure you are using the ideal protocol for your company’s logging needs and networking environment
Output Driven Filtering
Security professionals should only collect logs where there is a clear requirement defining how they will be used. Are you archiving for compliance? For potential forensics? Do you need to forward on to an analytics platform? Strong analytics is a pivotal piece in reducing MTTD/R, or Mean Time to Detection and Response, as well as automated response tools.
While listing the logs you want collected creates efficiency in your entire SIEM ecosystem, company is unique and you should be thorough in exactly what logs are required to achieve your desired result. You can also add in a blacklist of everything you don’t require. A sound strategy is to collect too many logs at first, and eliminate unnecessary logs (noise) through an iterative practice of continuous evaluation and improvement.
Now you are not only saving system resources and reducing network traffic, but saving money on the SIEM side where many vendors charge on the volume of data ingested.
Centralizing your logs saves you time, money and increases the readability of your logs. It’s a crucial step in minimizing MTTD/R. The average time it takes to detect and respond to an event. A critical KPI as it can vary from minutes, to hours, to days and in extreme cases, months. Identifying events in minutes is not only critical, but is a key ROI metric used for justifying the initial investment in a SIEM, in turn protecting your company from potential hazards and liabilities.
So the question is, how easy is it to centralize your logs? The answer often times is “not very”. The problem with this is, it shouldn’t be the case. Software can do almost anything we can dream up, so when companies force vendor lock-in or require substantial coding to make the simplest of changes, you have to wonder, do they really have my best interest in mind. Invest in a logging solution (*cough* Snare *cough*) that can be your SIEM, or tie into the SIEM of your choice so that no matter where you collect from, the logs end up where you need them. There is also the incredibly large bonus of being able to easily change SIEM vendors if you don’t have to rip and replace software on every machine in your organization. Pretty cool, right?
Sophisticated Architecture Capabilities
Sophisticated enterprise logging architecture enables your organization to maximize bandwidth by archiving logs for forensics and compliance before forwarding on critical logs to the central SIEM for analytics. This way only mission critical logs eat up system resources, but you preserve any logs necessary for potential work in the future.
Flexible architecture also allows you to implement custom deployments across various business units and still consolidate everything in an efficient manner. Give your head office visibility via analytics, but take care of the more granular forensic and compliance work at branch offices. Or maybe different departments have different security and compliance standards. Simply deploy accordingly. There are a near infinite number of ways to deploy your SIEM efficiently across your organization.
There you have it. The five logging musts in an enterprise level logging solution. For a deeper dive into this check out our resources page. There are a number of brochures you’ll want to check out. Of course sometimes talking through everything with a human is better than scrolling through digital content. Please feel free to reach out and get in touch with us as well!