As threats become more creative, our means to discover them needs to be more creative as well. Everyone that is operating a large enterprise is struggling to implement a Security Information and Event Management System (SIEM). More generally, we are trying to create an environment that can help discover suspect events and minimize risk to businesses. How do we create an environment where we can be creative and effective? Having worked in this area for more than 10 years, here are some of the basic principles that I find to be effective.
Flexibility and adaptability are important attributes of any security analysis platform. Network systems and operations are engineered with a focus on reliability. Engineer a security analysis environment that has some autonomy from the constraints of network reliability requirements. This allows processes to be adapted to satisfy the adaptability needs of the analysis systems, while balancing that with the reliability needs.
A SIEM platform should be thought of as a platform to perform analysis on many contributing behaviors and activities that may be indicative of a security threat. Sophisticated threats such as APT generally conduct a series of allowed events that point to an undesired result. No one event will be the conclusive indicator; search for numerous indicators that are potential contributing elements. Things like frequency analysis, volumetric analysis, diurnal patterns, baseline references should be the foundation of the analytical solution.
Establish an organizational structure and the resources around the security operations activity. Here is an example structure that can help create an environment that organizes:
Share this with others
READ MORE ARTICLES ON:
Sign up for the AT&T Business newsletter
Please provide the following information to access your document:
* To access your content, please check your browser settings to make sure pop-up windows are allowed.