SIEM implementation for global and distributed environments

Abstract

Today's computer networks produce a huge amount of security log data. Handling this data is impossible without using Security Information and Event Management Systems (SIEM) to centralize the log management and increase the level of information security and data protection in the organization. SIEM collect and aggregate log data from various devices and applications through software called agents or connectors, filter uninteresting data and normalize to a proprietary format, analyses through correlation using contextual information and alert administrators in case of attack. SIEM provide proactive threat detection and real-time analysis of system activity. Handling these issues will be very hard without relying on consolidated, big data-powered SIEM. However, even having the most expensive SIEM solution, the organization should not expect the product to work great out of the box. The best SIEM solution does not guarantee success. The organization should focus on building various use cases to make their SIEM solution a success. In this paper, we propose a new model and architecture for SIEM implementation that is using multiple hierarchical SIEM Managers. The model is called “Hierarchical Managers Model”. We demonstrated how this model and architecture could be created and enabled in the leading SIEM system - ArcSight ESM [7]. We also provide examples of possible use cases that we have created and tested in our testing environment. These are meant to provide a good base starting point and should not be considered comprehensive for all situations. The use cases shown in this paper are created using the security event correlation framework from Hewlett-Packard - ArcSight ESM [7].