Tuning your USM Intrusion Detection System
As a certified partner of AlienVault, Sedara managed the initial setup and baselining for over 500 AlienVault USM users. This process is referred to as ‘Tuning’ where we first reduce irrelevant data, then we phase out false positives.
To tune a SIEM, work with alerts and create custom correlation rules to ensure continued accuracy. As every environment is different, tuning is a unique process for each organization.
When initially tuning your USM, we work with your internal team to determine what information is important for your organization. We take this foundation and tune it toward a manageable and precise flow of alerts.
Determining False Positives
Isolating false positives in your environment is a continual undertaking but is the critical first step. This becomes important after your initial wave of tuning out irrelevant data.
A good example of tuning happened with one of our customers:
AlienVault NIDS generated an alarm for every desktop beaconing out to the same web server at around the same time. This is a tell-tale sign of a command and control center preparing for a DDOS attack. After looking into it a little further, Sedara analysts discovered that it was the customer’s patch management system. This system had each workstation call an action to access core machine information at the same time and report to an external server to request a browser update. Although this is an uncommon way of updating, it is not malicious or a threat to our customer’s systems. Knowing the destination IP, the event names, and the types of logs involved, we were able to tune out this false positive.
What Alerts Should You Set?
Because every environment is different, there is no cookie-cutter template. However, there are non-standard custom correlation rules that are important for almost every network. Some good examples revolve around active directory activity. A few of the questions we ask our customers include:
- Where is the location of sensitive data?
- What are your approved access methods?
- What are your unapproved access methods?
- Who has access and when?
- What is normal network traffic?
- What is authorized on endpoints?
Managing Daily Alerts with your IDS
The problem with any IDS or SIEM is that you can’t set it and forget it, as we explained in a previous post. Your network, your data, your employees, and your vendors are constantly changing – every change impacts your environment and may cause new alerts to investigate.
The Cost-Benefit Analysis of Internal SIEM/IDS Management
To have a fully optimized USM that includes the SIEM and IDS you need a dedicated security analyst or engineer. For many companies, that staffing investment is a significant cost. This talent is difficult to find and retain. In most US locations, the annual salary of a security engineer is six figures and that’s if you can find one that is trained in the tools you’ve already invested in.
Here’s an overview of SIEM costs when being managed internally:
SIEM Ongoing, Operating “Soft” Costs
- Report review and other ongoing monitoring tasks – from 24/7 to daily to weekly
- Alert response and escalation; SIEM implies correlation and automated alerting
- Other daily SIEM tasks such as reviewing the dashboards
- Uptime maintenance tasks i.e. caring for your SIEM as well as storage – backups, updates, minor troubleshooting, etc.
Periodic or Occasional “Soft” Costs
- SIEM rule tuning, reports creation, dashboard customization, new log source integration, and other ongoing SIEM tasks
- Periodic training and related staff time costs
- Expansion: same as initial soft costs
Getting Your Full ROI from your AlienVault USM
We engage many clients that invested in AlienVault’s USM, but they are not getting the full return on their investment. Internal IT is juggling continuous tuning, alarm investigations, and handling the demands of your organization’s existing needs. At Sedara, we augment our customers’ internal teams to flexibly co-manage or fully manage their AlienVault USM. We constantly tune their systems, investigate alarms, and advise on security issues they otherwise would not be aware of.
Ready to unlock your AlienVault’s USM potential?
Contact Sedara Security, an authorized AlienVault Professional Services partner.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.