Sunday, January 30, 2011

Book Review - Security Information and Event Management (SIEM) Implementation

In short – if you have been “doing” SIEM for any length of time you probably won’t get a whole lot out of this book. Conversely if you are starting to venture down the SIEM path you might want to pick it up.

I first read about this book on Dr. Anton Chuvakin’s blog. Even though his review was less than stellar, he did give it 4 stars (I'd give it 2.5). Similarly although the book’s title includes “implementation” and I have been using ArcSight for a little over two years now so I figured I would give it a shot. I was hopeful…and ended up sort of disappointed. Don’t get me wrong; I appreciate the time and effort the authors put into the book. There really isn’t a whole lot of SIEM type information “out there” which is one of the main reasons I started my own SIEM-esque blog. I think this book has the most value if you haven’t bought a SIEM through 3 or 4 months into your SIEM deployment as a way to level set the conversation (though the first part of the book is very basic).

Saturday, January 8, 2011

ArcSight - The SIEM Lego Set. Take 2

I wanted to post something a little more positive when it comes to the ArcSight Lego concept. Several months ago a group at work was charged with justifying a particular line item of their budget relating to the use of online resources and subscription fees. What they didn’t have was a way to link users to particular site browsing. The issue was bounced around just a bit until it hit my plate and with ArcSight’s feeds the solution was fairly easy to craft (though the devil is in the details). Everyone’s environment is different and different vendors/solutions generate different logs. Again, I don’t have access to other SIEM solutions so not sure how easy or hard coming up with a similar solution would be. While this isn’t specifically a security use case, the concepts or individual elements could be useful for one down the road. I have reused the login tracker a number of times.