Page 11 - Cyber Warnings
P. 11
No auto-updates
When auto-updates are misconfigured or disabled, a SIEM solution doesn’t receive updated
lists of vulnerabilities and bad IPs, while protocols and modules are not renewed. In essence,
such a system doesn’t identify a whole range of recently introduced offense types.
Case 1: A SIEM system didn’t scan vulnerabilities even with appropriate licenses activated. The
investigation showed that the company was using an outdated version of the vulnerability
scanning module that wasn’t updated for the last 3 months due to misconfigured auto-updates.
Once auto-updates were reconfigured, the system started detecting new security threats.
Inconsistency of backups and available storage volume
If not controlled, SIEM system backups can take all available storage slowing down the system
and even causing its complete inoperability.
Case 2: While planning out a SIEM solution, a financial services company decided to have the
online data access for 1 month and the offline data access for 1 year. After implementing the
system, the company increased the term of the online data storage up to 6 months, and the
offline data access was prolonged up to 3 years without taking into consideration the system’s
initial capabilities, which led to a storage bottleneck. The company had to turn to SIEM
consultants to solve the problem. After analyzing the issue, the SIEM team offered to set up an
external storage that could take the load off the SIEM solution.
Conclusion
Installing SIEM software is not enough to ensure effective threat management. Once deployed,
a SIEM solution requires proper fine-tuning to fit an organization's unique IT landscape and
threat profile. To see real returns on their investments into SIEM, companies have to ensure not
only a system’s basic configuration, but also go through correlation rule customization that allow
a SIEM system to show its real capabilities as an advanced analytical security tool, not just to
be a mere warehouse of uncontrollable security events.
About the Author
Serguei Tchesnokov
Senior SIEM Consultant at ScienceSoft, Serguei is an IBM certified
Security Professional with a 9-year background in Security Information
and Event Management and a 16-year work experience in Information
Technology. Serguei’s portfolio includes projects on architecture design,
integration, and deployment of security solutions based on IBM Security
QRadar SIEM, IBM TSIEM/TCIM, IBM Security Identity Manager (SIM)
for healthcare, banking, financial and governmental organizations.
11 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
