1) SIEM training exercises
Proper management and analysis of logs from various devices is a function of the SIEM tool in use. It’s essential to ensure that the SIEM team gets properly trained by the solution’s vendor.
SIEM technicians and analysts should be constantly updated with the latest security trends, as well as threat vectors—particularly those applicable to the organization’s environment. Encourage such practices. On-going centralized training from the vendor is a must to effectively use your SIEM tool, especially during product update cycles. This is a norm at Genpact, where we regularly conduct such exercises.
2) Cultivate cross-domain expertise
The SIEM team’s members should not be limited in their skillsets. A trained SIEM team with cross-functional domain expertise is a must for understanding an attack end-to-end. While it helps to have members in the team who specialize in certain aspects, all SIEM technicians should be well-versed with IT and allied domains.
While selecting your SIEM team, ensure that the team has a well-rounded character in terms of its skillsets. For instance, a technician monitoring an FTP-based attack should be aware of all aspects like device, OS and application vulnerabilities in the environment that might be exploited — not just the network side of the problem. Cross-functional domain experience has the benefit that it prevents saturation in any particular IT domain. This should be a standard practice in all organizations.
3) Understanding of the blackhat mindset
Other SIEM tips in this series
An SIEM team should be proactive in its approach to security. Using the traditional passive-defensive approach to security can be counter-productive when it comes to discovery and prevention of attacks. Team members should be able to wear the hacker’s hat if they have to understand how breaches can occur.
Certifications like CEH, CHFI and SANS trainings may help SIEM teams gain insights on this front. Level of expertise and knowledge can also be used as criteria to pick personnel to man your SIEM solution.
4) Environmental awareness
The need for SIEM technicians to be fully aware of their operating environments is allied to the earlier point. Training SIEM teams to be aware of the various vulnerabilities and weaknesses in their environment goes a long way towards the creation of a proactive stance for the SIEM solution’s effective use. Teams should look closely at ongoing activities that can result in attacks, and be able to identify possible attack vectors that the existing setup is susceptible to.
At Genpact, the SIEM team is furnished with a complete list of assets, which gives them a comprehensive picture of the IT environment. The device owner can be directly contacted on detection of anomalies, and remedial action (for example, taking the device offline) can be swiftly undertaken. A single point of contact has been designated for every department.
5) SIEM reporting structure
SIEM teams should be given precedence over other operational teams of the security operations center. This gives them the authority to take swift action during emergencies.
Keep the SIEM function separate. The team should not have any operational responsibilities leading to conflict of interests. As it is, most standards specify compliance and regulatory requirements which mandate that the SIEM function be kept separate.
At Genpact, the SIEM team is part of the security operations team, and reports directly to the head of information security. The team reports directly to the operations team for day to day functions. The SOC at Genpact is divided into three verticals—perimeter security, endpoint security and network security. The SIEM team is responsible for network security, as well as for monitoring of the wireless intrusion prevention system and other tools.
About the author: Satish Jagu is the senior manager for corporate information security at Genpact. With more than 12 years of professional experience in IT, Jagu has expertise in security, network and system administration on UNIX/Windows platforms, security systems and Internetworking devices. He has TCP/IP network experience in design, in addition to implementation of Internet and Intranet services. Jagu has worked on ISO 27001 implementation and certification projects, as well as SAS 70 and SoX IT controls.
|(As told to Varun Haran.)|
This was first published in September 2012