Security Information and Event Management Implementation Guidance

Purpose

This chapter provides guidance on how to evaluate, architect and deploy cloud based services providing SIEM services to both enterprise and cloud based networks, infrastructure and applications. The guidance addresses the leveraging of cloud based SIEM services in support of cloud environments, both public and private, hybrid environments and traditional non-cloud environments. While this document addresses SIEM as a cloud service, it does not preclude a hybrid environment for enterprises that have traditional SIEM deployments where the SIEM cloud service supplements.

Intended Audience and Document Organization

The target audience is primarily IT security managers, technical architects and systems managers that are responsible for monitoring and auditing their organization’s infrastructure and applications. SIEM data can be used for both general monitoring, as well as security monitoring and auditing (Laundrup & Schultz, 2011). In addition to technical staff, other staff such as IT generalists, auditors and compliance managers may benefit from the understanding of higher level contents. Finally, reasonable technically aware C-level board members such as CTOs, CISOs, and CIOs can find this a useful reference, in providing an overview of cloud based SIEM services, and the areas that need to be considered, if they are to implement and consume such a service.

This chapter is arranged in such a way that the content becomes more technical in nature as the sections progress. The subsequent sections are organized as follows:

• •

  Requirements: This section is intended as a high level overview of SIEM functions and implementation options. It addresses several key functionalities for which SIEM can be leveraged. The section is to also touch on less traditional deployments, which can be implemented in specific markets, where regulatory or other compliances require it. The intended audience includes executives and the senior leadership responsible for IT and security operations, compliance officers, and other decision makers within the enterprise. The material is written for executive level discussions, and indicates a baseline for best practices on the implementation and design of security services in the Cloud.

• •

  Architectural Implementation: This section details the considerations and concerns that should be part of the decision-making conversation, whether by an architecture team, auditing team, or within the context of a purchase decision. The section is written for those who are implementing, integrating, or performing a technical evaluation of cloud based SIEM. This section is also well suited for auditors, to help them understand typical services and capabilities that may be implemented for cloud based SIEM deployments.

• •

  Technical Implementation: This section discusses in high technical detail those items described in the previous two sections. This material is written for system architects, designers, implementers and developers, and includes guidance for the implementation of secure Cloud-based implementation of the subject.

• •

  References and Links: This section contains links to trusted sources of information regarding SIEM and Security-as-a-Service, and references used in the creation of this document.

Scope

This guide covers generic (non-industry specific) implementations only at this time. While some applications discussed herein may apply only to a few vertical markets, the examples and illustrations are very likely going to refer to a specific industry. Despite this, the guide should be regarded as neutral in all aspects, and any inference to a specific vendor or industry is purely accidental. This guide also does not address specific requirements that individual SecaaS providers may have in order to establish the service.