I recently read a Gartner report, Dealing With Federal Continuous Monitoring Security Requirements, that addresses concerns with the August 2009 Revision 3 update to NIST 800-53. One of the recommendations that caught my attention is to ensure that a proper review of vulnerability assessment and SIEM capabilities is done early. I couldn't agree more.
Too many times I've seen SIEM solutions deluged with event log data that plays no part in correlation activities performed by the SIEM engine. Considering how much SIEM solutions cost, this is a considerable waste of security budget. Organizations need to separate log management from SIEM correlation activities and determine how each component fits best into an overall continuous monitoring program. I believe all three items are separate entities that are closely related.
I am a strong believer in the philosophy: Log Everything. You never know when your investigation will require log evidence of an intruder or insider's actions. And realizing you needed log evidence after the fact does the investigation no good. However, logging everything does not mean every log event must be fed into a SIEM for correlation, nor does it mean that every log must be continuously monitored for security or compliance purposes. The logs will simply provide necessary details when the SIEM or continuous monitoring solutions alert you that something is wrong.
Once good log recording is put in place, a thorough evaluation of what correlation rules will be used in your SIEM solution is next. In my experience, too many SOC Tier I analysts are looking at consoles that have correlated events literally scrolling past their eyes. It is impossible for any analyst to triage and determine the next best step under that deluge of correlation activities. That doesn't mean the correlation rule has no value. Rather, many of them have no business being displayed in a Tier I view. A good analogy would be the NORAD Command Center (think back to the movie WarGames); the map of the world is a clean slate until a missile launch is detected. Once that occurs, everyone with "eyes on glass" has a job based on that alert triggering. A SOC Tier I analyst's workflow should be geared in the same manner. If a correlation event is sent to their console, there should be a clear and concise workflow action associated with it.
High fidelity alerts should bypass the Tier I workflow and go straight to incident investigation. Gartner emphasizes the need to decrease the time it takes to turn a security event into an incident as well as the time it takes to develop a response to a security incident. Here, automating the forensic evidence gathering process for high fidelity alerts achieves both goals. All other alerts that require triage are the purview of the Tier I analyst. Each correlation trigger needs to be reviewed to determine what information is required for the Tier I analyst to make an escalation decision. Automating this part of the information-gathering process moves you closer to the goals outlined in the Gartner report.
Your continuous monitoring solution now has the framework to perform its primary function(s). There are most likely two key areas you will focus on: security and compliance. At Mandiant, we focus on answering one question: Are You Compromised? I believe this is what your security continuous monitoring solution should do for you. Your log data tells you of an attack (IDS Alert); your SIEM tells you if the attack was most likely successful (IDS Alert + Firewall Permit + Target is Vulnerable); your continuous monitoring process must then take this information, plus forensic evidence gathered, and answer the question: Am I compromised? If you cannot answer that question, the goal Gartner states, 'The goal of continuous monitoring is not to collect more data; it is to lead to higher levels of security,' will never be achieved.