Managing a data center requires a lot of coordination. On a daily basis, you spend time looking at dashboards,...
performance trends, power consumption and system access.
For more advanced monitoring, security information and event management (SIEM) adds another layer of security to your data center.
Creating a productive SIEM environment requires planning to determine what events are worthy of manual intervention and what reports you need on a daily, weekly or monthly basis.
Common reporting options
One way to quickly develop the scope of your SIEM coverage is through overall reports. Because there can be so many options, there are a few you should focus on when selecting an initial reporting structure. In general, you want to be able to track who, when, from where and what authentication device the user employed.
To capture all of this information, common SIEM reports include:
- user activity reports;
- configuration change reports;
- access reports;
- incident tracking reports;
- on-demand operational reports; and
- monthly summary reports.
These details can help you easily organize how often you want these reports, which admin is in charge of looking at the reports and what measures they should take if anomalies occur within the data.
Events of interest
SIEM tools can alert you to every possible event, but you'll want to begin by setting baseline alerts. By having these basics, you'll be able to get your SIEM system quickly up and running. You can then add more specific alerts after you're familiar with the software.
There are six categories of SIEM alerts: user authentication, network attacks, host-level activity, unknown source attacks, web server activity and log source activity. These can be clarified using the following specific events:
- failed login source;
- failed login target;
- repeat logins from a single IP in one minute; and
- multiple intrusion detection system alerts from a single IP address.
These system alerts provide a basic view of the activity within your data center and information about who is accessing everything.
If you want to get granular, this is where alerts for antivirus software come in. Antivirus-related alerts provide notifications of attacks and updates on software intervention. Examples include:
- repeat attack host;
- virus detected;
- spyware or virus removed; and
- virus detected, but not successfully cleaned or removed.
Beyond antivirus-related attacks, you'll want to set up SIEM reports and alerts for specific attack sources and unknown attacks. This includes traffic from blacklisted sources, IP addresses targeting a certain host, repeat attacks, excessive connection outbreaks and multiple infected hosts.
Automating SIEM reports
Even with all of these measures in place, you may still wonder about what capabilities streamline SIEM reports, alerts and workflows. This is where automation and orchestration are particularly helpful because new algorithms can help identify performance and overall security trends. Furthermore, with these additional settings, you'll be able to program attack responses and efficiently sort alerts.
Before you even investigate SIEM software, you'll want to consider a few things: how you feed data into the SIEM system, if there are any potential installation pain points and how you will use the SIEM tools.