Products
▸
In order to be efficient, the SIEM system should be connected to all data sources, distributed within the IT infrastructure. It’s just like in case with the video surveillance: if you want to obtain the full picture of what is actually happening within the perimeter, you need to install cameras in all rooms.
But this is, of course, the perfect scenario, in real life it’s often impossible to connect all data sources to the SIEM-system. In such case it is required to deal with the most critical ones first of all.
Make sure that connectors for these sources are available in the SIEM system “out-of-the-box”.
1. EventLog connector (which controls MS infrastructure: Active Directory, Exchange) reads Microsoft SQL server logs and gathers data from any applications, which can save data in the EventLog format.
It is of crucial importance to control Active Directory (AD) security events, because it is the source of information which contains data on:
Control of Active Directory enables to detect attempts to brute force passwords or accounts, as well as their simultaneous usage on different PCs. In most companies this is the basic principle of monitoring users’ work process in accounts.
Thus, control of AD provides IT and IS specialists with useful data on such issues as:
2. Connectors for email servers
The practice of usage a single email by a few employees simultaneously is widely spread in numerous organizations. Besides, some employees get access to other employees email as the result of some business process changes in an organization.
Email owner change may be both legitimate or illicit. If it is illicit then it threatens the organization. When choosing a SIEM tool it is crucial to take into consideration that the system should control the email data source – it’s workability in general and access to mailboxes and to data, kept in them.
A few examples of what is required to control:
3. Connectors for Database Management System (DBMS)
Databases always contain confidential data. That is why it is crucial to monitor administrators’ activities on the DBMS level with the help of a SIEM system.
Thus, information security expert will not miss changes done to database, which may turn out to be illicit:
4. Syslog connectors
In case monitoring of network equipment, servers or detached Linux OS operated PCs is required, then the SIEM-system should support reception of security logs over Syslog. Any Linux OS supports it, what’s more, this support is implemented both at the level of the OS itself and at the level of applications, which work in this environment. With the help of Syslog connector, it is possible to monitor:
5. Connectors for control of virtualized environment
Network hardware is usually connected via Syslog too. However, server structures and data are kept with the help of various virtualization environments. In case they are used in critical processes, they should be connected to the SIEM system – from time to time tools for virtualization may turn out to be the only solution for IT-system workability retrieve.
For instance, if VMware, which is used for critical resources deployment fails, the whole company’s business activities slow down.
The list of what is strictly required to be controlled:
6. Connectors for firewalls and complex network security devices
In the current circumstances, when a step change is taking place in the amount of cyber-attacks, targeting network hardware it is of crucial importance to connect it to the SIEM system. However, each company has its own set of network equipment.
That is why when choosing a SIEM-system it is important to make sure that the particular vendor’s solution is capable of control of the required set of equipment. It is possible to capture attacks just in time according to the following rules:
All in all, in order not to fool yourself when choosing connectors and benefit as much as possible from a SIEM solution implementation, it is required to answer the following questions:
What’s more, during the test term it is very useful to maximize the SIEM system load. This means, that it is much more beneficial to run the system not on a demo-stand or in an isolated network segment, but in a loaded work infrastructure instead. Such method for choosing a solution reveals, whether the SIEM system tested suits your organization’s requirements or not; it also makes sure that you won’t face a situation when something does not work appropriately in the real-life circumstances.