The customer was faced with a problem with the implementation of their SIEM from hardware to VM. The old hardware had become overrun with log noise and unnecessary devices sending logs. They had purchased the VM version with licensing for 250 Universal Licenses and 1000 Workstation Only Licenses. With the idea that they would start from scratch with the new VM and re-implement all hardware and servers back into the VM. At first the SIEM seem to run as expected but as they deployed more Syslog devices and Windows Agents, it became unstable require frequent reboots. The customer was spending more time trying to keep the SIEM running than actually using the SIEM.
- The first issue that needed to be dealt with was to get an understanding of what the customer wanted to accomplish with the SIEM. Once a road map could be made to make sure that they were collecting only the logs that were needed to meet compliance requirements the VM resources were the first to be looked into. It’s found that the VM had default resources which were not enough to handle the volume of logs that were being collected. Once the VM resources were increase to handle the log volume attention was turned to noise tuning the logs being sent to cut back on overall volume. Adjustment to the GPO to shut off Windows Filtering Platform, Object Audit PlugPlay and other noise alerts generate by Windows, showed that overall volume was cut down by 20+ million events per day.
- Once the noise tuning was complete focus was now placed on Windows Best Practice for Alerting and some custom alerts that were required. Since not all sites are alike, a punch list was made based on SOX compliancy Best Practices and previous audits. Filters were first created to make sure that the correlation were correct and only filtering what was needed. These filters were then added as a Rule with an action applied, the action being to send an email when a specific rule correction fires the Rule.
- Now that the VM resources were brought to up to par and excessive Windows log noise tuned out the specific Filters and Rules created, the SIEM is now up and running in a stable VM environment providing the information that the customer required on a daily basis.
- July 21, 2016 Financial Company Network Configuration Case Study The customer had a fairly mature Network Model that they had neglected for a number of months. There were a large number of unplaced objects that had been captured by their automated configuration update system, their version was out of […]
- July 21, 2016 Internet Service Provider SIEM Upgrade Case Study The following case study was done on a client that initially had purchased their SIEM solely to satisfy PCI requirements that were assessed a few years prior. ReliaQuest performed an initial health check to determine the current state of […]