If you expose the dirt on your lawn by cutting a big square out of your grass, you can’t just stop there and say “Done, I now have a garden.” In fact, all you have is a big dirt square that will eventually regrow the grass you just removed from it. In order to create an actual garden you need to build the foundation, plant the flowers, and maintain the garden so that it continues to flourish.

The same can be said with any Security Incident and Event Management (SIEM) solution you buy. Just because you purchase a box, or a piece of software, that the marketing material says is a “SIEM Solution”, doesn’t mean that racking it and turning it on is the end of the project life cycle. Just like a garden there needs to be proper preparation, implementation, and maintenance for the program to succeed.

Preparation

Alright, so Vendor A calls you up and tells you how great their SIEM solution is, what it will do for your [security | compliance | log management] project, and why you should buy it before their end of quarter. That’s all well and good but you’ll also get the exact same calls from Vendor B, and Vendor C before the week is over all promising the same puppy dogs, ice cream and unicorns that the others were. The question is – Which one is right for my environment?

When you decide that you’re going to plant a garden, there are several factors you need to consider before rushing into it. The first question is – Where do I put it? This is a very important question because it will influence the types of plants that will grow in your garden. Most, if not all, plants and/or seeds you buy from a store will have some manner of instructions on them. Seeds will usually explain the conditions required for optimal growth on the back of the package while plants will usually have one of those plastic/paper inserts inserted into the soil. Some plants require full sun while others require some measure of shade. Do you put it out front where your kids play or out back where the dog, or other animals, might dig through it? How much natural rain water will the garden get or will you have to rely totally on manual watering?

These are the same kinds of questions you should be asking yourself when deciding on a SIEM solution. Not only do you need to read about what the product can do but you need to be able to distill what is important to your environment. If you are a predominantly Cisco and Microsoft Windows shop, what good is a product that prides itself on Juniper and Solaris integration but has serious deficiencies when it comes to Cisco and Microsoft integration? That is like planting a flower that requires full sun in the shade. It’ll look nice until it dies a horrible sunless death.

You also need to figure out where the best location is in your network for this solution. Most SIEM products are made up of collectors and centralized processing points. One thing you need to consider is if you put a collector in one [rack | building | city | country] will it be able to offer you the visibility that you’re looking for or will that location only be giving you a portion of the total picture? Maybe your collection infrastructure needs to be bigger or maybe, like a small garden, it can be built out over time.

Keep in mind that, like a garden, you’re probably not the first person to ever undertake such a project. When starting a big garden project you will typically ask the experts, such as greenhouse workers, friends, and colleagues, for their input. These people have valuable advice as they have made the mistakes already and can offer you advice on how to avoid the roadblocks that they encountered. Just as you would ask a greenhouse worker for advice, ask the vendor for references that you can speak to without the vendor on the phone. The reason you don’t want the vendor on the phone is because you want the people you are talking with to feel like they can discuss the solutions pros and cons without feeling cornered. Often, when the vendor is on the phone with them, they’ll hold their tongue and that doesn’t give you the full picture you’re looking for. You’ll also want to ensure you talk to both management references and technical references because each will have a different view on how the project progressed.

Hopefully this gives you some things to think about before rushing into purchasing a SIEM solution (or starting a garden for that matter). In my next post I’ll discuss the implementation phase of your SIEM project.

If you find yourself explaining how network address translation (NAT) works, you might know more than your SE.

If you find yourself having to explain what certain acronyms mean (like NAT), you might know more than your SE.

If you have to explain the difference between a Crossover cable and a Straight-Through cable, and why it matters that they are different, you might know more than your SE.

If they have ever muttered the phrase “Well, it’s never done that before”, you might know more than your SE.

If they admit to you that they have never before used the product themselves, you might know more than your SE.

If they truly believe that their product is “hack proof”, you might know more than your SE.

If talking to the SE at their booth has you wondering if they are the “booth babe” or not, you might know more than your SE.

If they think that a packet is something that chips come in, you might know more than your SE.

If they have never heard of a competing product for their offering, in a space where there are at least 20 competitors, you might know more than your SE.

If they think cryptography has something to do with cemeteries, you might know more than your SE.

If they think that Open Source is a skin condition, you might know more than your SE.

If they giggle when they hear the terms intrusion, breach, or IP, they could be either be 7 years old or it might just be that you know more than your SE.

I often find myself thinking about what training I’d like to help keep my knowledge moving forward. This morning I sat down and wrote up a small list of the training that I would like to receive over the next two years (if possible).

SANS Security 508: Computer Forensics, Investigation, and Response

Description:
Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step-by-step. You will become skilled with tools, such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. We will rapidly move on to advanced forensic and investigation analysis topics and techniques. This SANS hands-on technical course arms you with a deep understanding of the forensic methodology, tools, and techniques to solve even the most difficult case.

Reason:
I’ve always been interested in Forensic Analysis but have never received any formal training. I know how to handle incidents and safeguard data for further investigation but I don’t know how to take that next step. Plus, being able to pull something from nothing is a really cool concept 🙂

SANS Security 560: Network Penetration Testing and Ethical Hacking

Description:
Attendees will learn how to perform detailed reconnaissance, learning about a target’s infrastructure by mining blogs, search engines, and social networking sites. We’ll then turn our attention to scanning, experimenting with numerous tools in hands-on exercises. Our exploitation phase will include the use of exploitation frameworks, stand-alone exploits, and other valuable tactics, all with hands-on exercises in our lab environment. The class also discusses how to prepare a final report, tailored to maximize the value of the test from both a management and technical perspective. The final portion of the class includes a comprehensive hands-on exercise, conducting a penetration test against a hypothetical target organization, following all of the steps.

Reason:
I know how to run tools like a script kiddie but need, and want, to know more about discovering and exploiting vulnerabilities.

SANS Security 617: Wireless Ethical Hacking, Penetration Testing, and Defenses

Description:
This course takes an in-depth look at these fields, exposing you to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, you’ll navigate your way through the techniques attackers use to exploit WiFi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS, and other systems. We’ll also examine the commonly overlooked threats associated with Bluetooth, WiMAX, and proprietary wireless systems. Using the SWAT toolkit, we’ll back up the course content with hands-on labs and practical exercises designed to reinforce the concepts.

Reason:
I want to take this class for the same reasons mentioned above for Sec 560 but from a wireless angle.

Pentesting with BackTrack :: PWB

Description:
“Pentesting with BackTrack” (previously known as Offensive Security 101) is an online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. The course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students.

This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet.

Reason:
I have heard nothing but good things about this course (mainly from Rob “Mubix” Fuller) and, although I have a copy of BackTrack, I feel that I only use about 1% of it. I want to learn how to use this image to its full potential.