Security Information and Event Management (SIEM) Implementation
1st Edition
Published on 25. October 2010
490 pages
978-0-07-170108-2 (ISBN)
Description
Implement a robust SIEM system Effectively manage the security information and events produced by your network with help from this authoritative guide. Written by IT security experts, Security Information and Event Management (SIEM) Implementation shows you how to deploy SIEM technologies to monitor, identify, document, and respond to security threats and reduce false-positive alerts. The book explains how to implement SIEM products from different vendors, and discusses the strengths, weaknesses, and advanced tuning of these systems. Youll also learn how to use SIEM capabilities for business intelligence. Real-world case studies are included in this comprehensive resource. Assess your organizations business models, threat models, and regulatory compliance requirements Determine the necessary SIEM components for small- and medium-size businesses Understand SIEM anatomysource device, log collection, parsing/normalization of logs, rule engine, log storage, and event monitoring Develop an effective incident response program Use the inherent capabilities of your SIEM system for business intelligence Develop filters and correlated event rules to reduce false-positive alerts Implement AlienVaults Open Source Security Information Management (OSSIM) Deploy the Cisco Monitoring Analysis and Response System (MARS) Configure and use the Q1 Labs QRadar SIEM system Implement ArcSight Enterprise Security Management (ESM) v4.5 Develop your SIEM security analyst skills
More details
Other editions
Additional editions
David Miller | Shon Harris | Allen Harper
Security Information and Event Management (SIEM) Implementation
Book
12/2010
Osborne/McGraw-Hill
€77.20
Shipment within 15-20 days
Content
- Cover Page
- Security Information and Event Management (SIEM) Implementation
- Copyright Page
- Dedication
- At a Glance
- Contents
- Foreword
- Acknowledgments
- Introduction
- Part I Introduction to SIEM: Threat Intelligence for IT Systems
- 1 Business Models
- What Are IT Business Models?
- What You Have to Worry About
- Overview of CIA
- Government
- Military
- Three-Letter Agencies
- Social Services Infrastructure
- Commercial Entities
- Retail Services
- Manufacturing/Production
- Banking
- Universities
- How Does Your Company's Business Model Affect You?
- 2 Threat Models
- The Bad Things That Could Happen
- Vulnerabilities
- Malicious Intent
- Recognizing Attacks on the IT Systems
- Scanning or Reconnaissance
- Exploits
- Entrenchment
- Phoning Home
- Control
- After That.
- Summary
- 3 Regulatory Compliance
- Compliance Regulations
- Sarbanes-Oxley Act (2002) - SOX
- Gramm-Leach-Bliley Act (1999) - GLBA
- Healthcare Insurance Portability and Accountability Act (1996) - HIPAA
- Payment Card Industry Data Security Standard - PCI DSS
- California Senate Bill 1386 (2003) - CA SB1386
- Federal Information Security Management Act (2002) - FISMA
- Cyber Security Act of 2009 (SB 773)
- Recommended Best Practices
- Prudent Security
- Summary
- Part II IT Threat Intelligence Using SIEM Systems
- 4 SIEM Concepts: Components for Small and Medium-size Businesses
- The Homegrown SIEM
- Log Management
- Syslog
- Alerts
- Flow Data
- Vulnerability Assessment Data
- Let the Collection Begin
- Logging Solutions
- Event Correlation
- Event Normalization
- Correlation Rules
- Commercial SIEM for SME
- Endpoint Security
- Securing the Endpoints
- Protecting the Network from the Endpoints
- IT Regulatory Compliance
- Compliance Tools
- Implementation Methodology
- Tools Reference
- Summary
- 5 The Anatomy of a SIEM
- Source Device
- Operating Systems
- Appliances
- Applications
- Determining Needed Logs
- Determining Needed SIEM Resources
- Log Collection
- Push Log Collection
- Pull Log Collection
- Prebuilt Log Collection
- Custom Log Collection
- Mixed Environments
- Parsing/Normalization of Logs
- Rule Engine/Correlation Engine
- Correlation Engine
- Log Storage
- Database
- Flat Text File
- Binary File
- Monitoring
- Summary
- 6 Incident Response
- What Is an Incident Response Program?
- Grown from the Security Program
- Where the IR Program Fits In
- How to Build an Incident Response Program
- The IR Team
- Useful Tools for the IR Team
- Socio/Political Aspects
- The Price Tag
- Security Incidents and a Guide to Incident Response
- A Typical Escalation Flow to Security Incident
- Finally! An Incident
- Incident Response Procedures
- Automated Response
- Automated Response-a Good Thing
- Automated Response-a Bad Thing
- Summary
- 7 Using SIEM for Business Intelligence
- What Is Business Intelligence
- Business Intelligence Terminology
- Common Business Intelligence Questions
- Answers to the Common Business Intelligence Questions
- Developing Business Intelligence Strategies Using SIEM
- How to Utilize SIEM for Your BI Objectives
- Using the Data that Your Organization Currently Possesses
- What Other Companies Are Doing with SIEM and BI
- Summary
- Part III SIEM Tools
- 8 AlienVault OSSIM Implementation
- Background
- Concept
- Open Source Tools
- Functionality
- Commercial Version
- Design
- Architecture
- Deployment Considerations
- Implementation
- Requirements
- Installation Process
- Profiles
- Modifications After Installation
- Web Console
- Dashboards
- Incidents
- Analysis
- Reports
- Assets
- Monitors
- Intelligence
- Configuration
- Tools
- Summary
- 9 AlienVault OSSIM Operation
- Interface
- Dashboards
- Incidents
- Analysis
- Assets
- Intelligence
- Monitors
- Analysis of a Basic Attack
- Analysis of a Sophisticated Attack
- Summary
- 10 Cisco Security: MARS Implementation
- Introduction to MARS
- Topology, Sessions, and Incidents
- Scaling a MARS Deployment
- Analyze Requirements
- Objectives
- Unique Threat Concerns
- Infrastructure Inventory
- Design
- Resources and Requirements
- Roles and Responsibilities
- Deployment
- Installing the Device and Connect to Network
- Configuring the Web Interface
- Assigning MARS User Accounts
- Adding Monitored Devices
- Integrating Flow Data
- Generating Topology
- Operation: Queries, Rules, and Reports
- Queries
- System Rules
- User Inspection Rules
- Reports
- Limitations
- Summary
- 11 Cisco MARS Advanced Techniques
- Using the MARS Dashboard
- Summary Page
- Incidents Page
- Query/Reports Page
- Rules Page
- Management Page
- Admin Page
- Adding Unsupported Devices to MARS
- Importing Device Support Packages
- Building Your Own Custom Parsers
- A Typical Day in the Life of a MARS Operator
- Limitations
- Summary
- 12 Q1 Labs QRadar Implementation
- QRadar Architecture Overview
- Q1 Labs Terms to Know
- Planning
- Know Your Network
- Plan Your QRadar SIEM Deployment
- Initial Installation
- Configuring the Underlying CentOS System
- The QRadar Administrative Interface
- Getting Flow and Event Data into QRadar
- Event Sources and Data
- Flow Sources and Data
- Summary
- 13 Q1 Labs QRadar Advanced Techniques
- Using the QRadar Dashboard
- QRadar Dashboard Default Views
- QRadar Views
- Custom Views
- The Equation Editor
- QRadar Sentries
- QRadar Sentry Components
- QRadar Sentry Types
- QRadar Rules
- QRadar Rule Types
- QRadar Rule Components
- QRadar Custom Rules Wizard
- The Offense Manager
- Searching QRadar Offenses
- QRadar Tuning
- QRadar False Positive Wizard
- QRadar DSMs and Custom DSMs
- Replacing the QRadar SSL Certificates
- Stepping Through the Process
- Analyzing Events
- Summary
- 14 ArcSight ESM v4.5 Implementation
- ArcSight Terminology and Concepts
- Overview of ArcSight Products
- ArcSight ESM v4.5
- ArcSight SmartConnectors
- ArcSight Express
- ArcSight Logger
- ArcSight ESM v4.5 Architecture Overview
- Planning Your Deployment
- Determine Goals
- Manage Assets
- Determine ArcSight Hardware Requirements
- Initial Installation
- Mount and Cable Servers
- Install and Configure Operating System
- Install ArcSight ESM v4.5 Database Software and Oracle Database
- Install ArcSight ESM v4.5 Manager
- Configure ArcSight Partition Archiver
- Install ArcSight SmartConnector
- Install ArcSight Console
- Summary
- 15 ArcSight ESM v4.5 Advanced Techniques
- Operations: Dealing with Data
- Filters
- Rules
- Lists
- Trending
- Active Channels
- Notifications
- Cases
- Exporting Information
- Managing Assets and Networks
- The ArcSight SmartConnector
- The ArcSight Asset Model
- The ArcSight Network Model
- Management and Troubleshooting
- Log and Configuration Files
- Database
- System Patching and Upgrades
- Tips and Tricks
- Summary
- Appendix: The Ways and Means of the Security Analyst
- Index
