Network devices produce a gigantic amount of log information that is impossible to fully digest and examine without consolidation and automation. Now that security incidents are occurring with much greater frequency, the forensic information required for investigation and action is sizable and diverse given these large volumes of information. Collecting that information is time-consuming, arduous, and often not fully possible. Real-time threats are difficult to detect and even harder to quickly address without intelligent automation and response.
Security Information and Event Management (SIEM) software products provide real-time monitoring, reporting, and analytic tools that correlate events from numerous system logs. This provides rapid threat detection with faster incident response. Splunk is one of many SIEM solutions available today. It’s neither the cheapest nor the most expensive tool. Other SIEM products include LogRythmn, AlienVault, SolarWinds, and Rapid7. For those who prefer open source solutions, options include OSSIM, The ELK Stack, and SIEMonster.
A SIEM can analyze disparate data from many existing security products, endpoints, servers, other network devices, and network traffic. The SIEM detects patterns across the network and launches appropriate alerts and actions. Firewalls, endpoint security, and other security tools by themselves are not designed to address the dynamic and expansive nature of the entire network. A SIEM improves efficiency by providing a single interface to view security and event log information from many hosts across the network. Through storing and processing these logs, as well as providing ways to navigate and correlate the data, a SIEM allows for more rapid and thorough forensics investigations.
District 99 has installed and configured Splunk on a Linux VM in a Hyper-V environment. We are currently collecting and processing log data from our domain controllers, IIS servers, Palo Alto firewall, VPN, and Cisco ISE environment. We are expanding our coverage to include network switches and other Linux servers. We’ve built basic dashboards to monitor Windows (warnings, errors), and Cisco ISE events. We’re developing additional dashboards for our Palo Alto firewall (threats, GlobalProtect VPN). We continue to tune the system; as we all know, system logs are quite verbose. It’s an ongoing process to determine the right balance in order to reduce the number of false positives.
Splunk, like our network, is very complex. SIEM’s can be difficult to configure, deploy and fully utilize. Implementation assistance from a SIEM expert is key. We used CDW-G and their SIEM partner for initial implementation assistance. We are looking forward to fully implementing this solution in order to be more proactive and efficient in our security and forensic efforts. Feel free to contact us with any questions: Tony Dotts, CEH; Network Systems Administrator (firstname.lastname@example.org); Rod Russeau, CETL; Director, Technology & Information Services (email@example.com).