Operating SIEM Solution

Operating SIEM Solution

[Total: 0    Average: 0/5]

Greetings, In this article I would like to talk about SIEM technology from another perspective, Firstly let me ask a question – Lets imagine you have a SIEM solution integrated with all nodes in your network, will this mean you are getting fully benefits from the SIEM ?.

Security Information & Event Management is defined as a real-time monitoring technology for all security logs collected from whatever devices you have. Obviously any SIEM project has two main phases Integration & Operation.

In this article I won’t address any of integration techniques with SIEM because I know everyone can easily integrate his/her devices, applications, systems… etc.

But when you hear this quote “SIEM Solution Is the BackBone for Any Security Operation Center” you have to think about SIEM Operation.

Let’s start by having a SIEM solution integrated with all Systems, Devices, Applications…etc in our network … Now What will be the next step?

The next steps will the operation part as follows:

— Defining the organization Administrator Accounts

Because administrators are the powerful accounts and the highest privilege in any environment so compromising such account will be the highest risk. You will need to track every single activity taken by those admins thus you have to define administrator accounts in SIEM solution.

—  Defining the organization Network Hierarchy

Imagine this step as you are teaching your network zones to SIEM Solution, from my point of view you will need to define at least the following zones:

  • DMZ
  • Internal Server Zones
  • VOIP Networks
  • Wireless Networks
  • VPN Address Spaces
  • Compliance Networks

— Defining the organization Servers

In this step, you will define your servers as per single function, at least following functions have to be addressed:

  • LDAP Servers
  • DHCP Servers
  • DNS Servers
  • Mail Servers
  • Proxy Servers
  • Database Servers
  • FTP Servers
  • SSH Servers
  • Syslog Servers
  • SNMP Servers
  • VOIP PBX Servers
  • VPN Servers
  • Web Servers
  • Vulnerability Assessment Servers
  • Remote Servers
  • Network Management Servers
  • Updating Servers, that are used for example for updating antivirus signatures…etc

—- Defining uncommon TCP/UDP ports

Most of organizations don’t use the default ports for known Applications, Databases and Services…etc, so you will need to define the non-default ports in your environment to be tracked by SIEM Solution and reduce false positive

—-   Defining organization sensitive data

Sensitive data vary from one organization to another, so you will need to define any sensitive data from your organization perspective like HR Data – Financial Data – Credit Cards – Source Codes…etc.

— Correlation Rules Tuning

This is considered the output for all the above phases, any SIEM solution has its built-in correlation rules, but tuning SIEM correlation is an on-going process that must be taken in consideration as it differ from environment to another.

I think you can start by the organization policy and translate it to correlation rules, after that try to search for test cases in your environment (applications, servers, database  …etc) and create the correlation rules to detect such deviation. For Example, I notice that someone before has created a correlation rule to detect the raise in temperature for specific critical network devices to solve a downtime issue.

Finally always remember that not all correlation rules, An Offense

—  Reporting & Monitoring

Monitoring a SIEM Solution is not to track only offenses generated by the SIEM, for more efficiency you will have to give a look for log activities collected from your devices to track any abnormal behavior that is not defined in your correlation rules.

Reporting is considered the important part in SIEM for SOC Operation, from above steps you can list some of important reports as follows:

  • User Tracking per all systems
  • Administrative Activity Tracking.
  • Successful & Failed Admin/Normal User Authentications.
  • User Creation, Deletion & Modification.
  • Offenses Status.
  • Traffic from DMZ/Internet zones to Internal zone
  • Traffic to Internal Server zone
  • Compliance reports for PCI, ISO27K.
  • Policy violations
  • Unsecured services used
  • Statistics for all inbound & outbound traffic



Finally flow integration, which will give you a deeper analysis on network packets flow, and also integration with Vulnerability assessment tools, this will enhance the intelligence for SIEM Solution with powerful correlation between Vulnerability and Exploit detection.

At This point, you are now having an efficient SIEM Solution with admin accounts defined, Network hierarchy, all the organization servers, sensitive data tracking, built-in & your own correlation rules and finally report generation & monitoring.









Ayman Hammouda – Senior Information Security Engineer at Security Meter

Leave a Reply

Your email address will not be published. Required fields are marked *