Monday, April 26, 2010

Of SIEMs and Gymnastics

In thinking about SIEMs overall relative to a thought that has been building over the last month or so I had a flashback to my cheerleading days.

Don’t laugh. For a slightly introverted guy, cheerleading at a college with a girl to guy ratio of 7:1 = win.

One of the differences between a back hand spring and a back tuck is the general ability to transfer momentum from one movement into the next. This is a lot easier with a back hand spring since the motion is front to back vs the tuck’s up and down. It is one of the main reasons why you are much more apt to see a series end in a back tuck vs start with one and transition to other things.

My problem is I learned how to do a back tuck – the finishing move – first. This translated into me not really being able to do multiple back hand springs in a series.

So, how does this relate?

If you look at the maturity models from the last post, SIEMs are toward the right side. IMO then and based on the language used by the vendors I have talked with you have use cases all about alerting on X in your environment. SIEMs are (should be?) the finishing move back tucks of the InfoSec world. Based on your environment though how are you using it? Starting at alerting and backing into monitoring? Moving from monitoring into alterting? Can your SIEM do both or maybe you need just one or the other? I really think the difference between monitoring and alerting is more than just semantics.

I’m the newb here - am I off my rocker?

2 comments:

  1. SIEM is absolutely one of the finishing touches. If you have no fw, IDS/IPS, VA, etc, etc and logging, you should go do them before even uttering the word "SIEM"

    ReplyDelete
  2. Wow - first Rocky and now Anton. Thanks for stopping by!

    When it comes to your overall tool set I am reminded of the Stones...though I'm not sure if their want/need lyrics are in the right order. I should look up the actual lyrics I guess.

    ReplyDelete