Setting your Baseline through Tuning
As a certified professional services partner of AlienVault, Sedara has managed the initial setup and baselining for over 500 new or expanding AlienVault USM users. This process is referred to as ‘Tuning’ where we first reduce irrelevant data, then we phasing out false positives.
To tune a SIEM you must work with alerts and create custom correlation rules to ensure continued accuracy. This ultimately results in an analyst’s time being well spent on alarm investigations, and producing clean and useful reports. As every environment is different, tuning is a unique process for each organization.
When initially tuning your USM we work with your internal team to determine what information is important for your organization. We then combine that information with our cybersecurity knowledge from our past implementations and currently managed AlienVault customers. We finally take this foundation and start to tune towards a manageable and precise flow of alerts.
Determining False Positives
Being able to isolate false positives in your environment is a continual undertaking, but is the critical first step for the constant tuning that happens throughout the life of the system. This becomes extremely important after your initial wave of tuning out irrelevant data.
A good example of this level of tuning actually happened with one of our customers about 1 hour before writing this...
AlienVault NIDS generated an alarm for every desktop beaconing out to the same web server at around the same time. This is a tell-tale sign of a command and control center preparing for a DDOS attack. After looking into it a little further, Sedara analysts discovered that it was the customer’s patch management system. This system had each workstation call an action to access core machine information at the same time and report to an external server to request a browser update. Although this is an uncommon way of updating, it is not malicious or a threat to our customer’s systems. Knowing the destination IP, the event names, and the types of logs involved, we were able to tune out this false positive.
What Alerts Should You Set?
As mentioned above, because every environment is different there is no cookie-cutter template. But there are non-standard custom correlation rules that are extremely important for almost every network. We prioritize these out of the box to show value very quickly in the AlienVault systems we implement. Some good examples revolve around active directory activity. A few of the questions we ask our customers to get the right kind of thoughts flowing for initial tuning include:
- Location of sensitive data
- Approved access methods
- Unapproved access methods
- Who has access and when
- What is normal network traffic
- What is authorized on endpoints
Managing Daily Alerts with your IDS
The problem with any IDS or SIEM is that you can’t set it and forget it as we explained in a previous post. Your network, your data, your employees and your vendors are constantly changing - each change affects your environment and may cause new alerts to investigate. The challenge with optimizing any good cybersecurity monitoring system is keeping up with the day-to-day management.
The Cost-Benefit Analysis of Internal SIEM/IDS Management
To have a fully optimized USM that includes the SIEM and IDS you need a 50-100% dedicated security analyst or engineer. For many companies that staffing investment is a significant cost and is difficult to find and retain. In most US locations, the annual salary of a security engineer is in the six figures and that’s if you can even find one that is trained and certified in the tools you’ve already invested in. Here’s an overview of SIEM costs when being managed internally:
- SIEM ongoing, operating “soft” costs
- Report review and other ongoing monitoring tasks – from 24/7 to daily to weekly
- Alert response and escalation; SIEM implies correlation and automated alerting
- Other daily SIEM tasks such as reviewing the dashboards
- Uptime maintenance tasks i.e. caring for your SIEM as well as storage – backups, updates, minor troubleshooting, etc.
- Periodic or occasional “soft” costs
- SIEM rule tuning, reports creation, dashboard customization, new log source integration, other ongoing SIEM tasks
- Periodic training and related staff time costs
- Expansion: same as initial soft costs
Getting Your Full ROI from your AlienVault USM
We engage many clients that have invested in AlienVault’s USM, but they are not getting the full return on their investment. The challenge for internal IT is juggling the continuous tuning and alarm investigations as well as handling the competing demands of your organization's existing needs. At Sedara, we augment our customers' internal teams to flexibly co-manage or fully manage their AlienVault USM. We constantly tune their systems, investigate alarms, and advise on security issues they otherwise would not be aware of.
Ready to unlock your AlienVault’s USM potential?
Contact Sedara Security, an authorized AlienVault Professional Services partner.