{"id":81,"date":"2007-03-06T01:17:10","date_gmt":"2007-03-06T06:17:10","guid":{"rendered":"http:\/\/raffy.ch\/blog\/2007\/03\/06\/preparing-for-security-event-management\/"},"modified":"2007-03-06T09:51:36","modified_gmt":"2007-03-06T14:51:36","slug":"preparing-for-security-event-management","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2007\/03\/06\/preparing-for-security-event-management\/","title":{"rendered":"Preparing for Security Event Management"},"content":{"rendered":"<p>I love travelling, not because I have to cram myself into a small seat for 9 hours, but because I usually get a lot of reading done. I was reading this paper about <a href=\"http:\/\/www.windowsecurity.com\/uplarticle\/NetworkSecurity\/360is-prep-sem.pdf\"> Preparing for Security Event Management<\/a> by the 360is group. I like the article, there are a lot of good points about what to look out for in a SIM\/SEM\/ESM deployment. However, some fundamental concepts I disagree with:<br \/>\nThe first step in deploying a SEM (Security Event Management Solution) should be to get an inventory, to do an assessment. At least according to the paper. Well, I disagree. The very first step has to be to define the use-cases you are after. What&#8217;s the objective. What are you hoping to get out of your ESM (Enterprise Security Manager [I use these terms interchangeably here]? Answer this question and it will drive the entire deployment! Out of the use-cases you will learn what data sources you need. Then you will see how much staff you need, procedures will result from that, etc.<\/p>\n<p>The second step, after the use-case development, should be the assessment of your environment. What do you have? Get an inventory of logging devices (make sure you actually also capture the non-logging security devices!) and all your assets. I know, you are going to tell me right away that there is no way you will get a list of all assets, but get at least one of your critical ones!<\/p>\n<p>Another point that I disagree with is the step about &#8220;Simplify&#8221;. It talks about cleaning up the security landscape. Throwing out old security devices, getting logging configured correctly, etc. Well, while I agree that the logging of all the devices needs to be visited and configured correctly, the task of re-architecting the security environment is not part of a ESM deployment. You will miserably fail if you do that. The ESM project will be big enough as it is, don&#8217;t lump this housr-keeping step into it as well. This is really a separate project that falls under: &#8220;Do your IT security right&#8221;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I love travelling, not because I have to cram myself into a small seat for 9 hours, but because I usually get a lot of reading done. I was reading this paper about Preparing for Security Event Management by the 360is group. I like the article, there are a lot of good points about what [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-81","post","type-post","status-publish","format-standard","hentry","category-security-information-management"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/81","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=81"}],"version-history":[{"count":0,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/81\/revisions"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=81"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=81"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=81"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}