Professional Documents
Culture Documents
Order 7870856 Post SIEM Implementation Final
Order 7870856 Post SIEM Implementation Final
Order 7870856 Post SIEM Implementation Final
Table of Contents
Summary..........................................................................................................................................3
Review of Other Work.....................................................................................................................4
Changes to the Project Environment...............................................................................................7
Methodology....................................................................................................................................8
Project Goals and Objectives...........................................................................................................9
Project Timeline.............................................................................................................................10
Unanticipated Requirements..........................................................................................................11
Conclusions....................................................................................................................................12
Project Deliverables.......................................................................................................................13
References......................................................................................................................................16
Appendix A....................................................................................................................................18
Flowchart of Alerting and Incident Response by a SIEM.........................................................18
Appendix B....................................................................................................................................19
Understanding the SIEM Architecture.......................................................................................19
POST SIEM IMPLEMENTATION 3
Summary
which serves the banking industry. The necessity for PCI compliance and implementing a
Security Information and Event Management (SIEM) solution arose because of the introduction
of new functionality to the application. Logs and data from any system, app, or device may be
security that combines the two formerly separate disciplines of SIM and SEM. As a phonetic
pronunciation, SIEM is pronounced as "sim," with the 'e' being dropped. All SIEM systems are
built on the foundational ideas of collecting relevant data from several sources, identifying
deviations from norms, and responding appropriately. A SIEM may log supplemental data,
generate a message, and command other security measures to stop the progression of a specific
action if a potential threat is detected. Compliance with the Payment Card Industry Data Security
Standard first drove using SIEM systems in large organizations. Since FinancialUSA is
increasingly concerned about these advanced, persistent attacks, the company is seriously
exploring the benefits of using a SIEM system. Centralizing security-related data into a single
During the deployment phase, which focuses on incorporating the SIEM solution into the
existing IT infrastructure, the goals were achieved by installing the SIEM system on the
necessary devices and establishing any prerequisites, such as software, hardware, agents, or
connections. To accurately analyze and correlate events from several sources, the project
configured the system to ensure data harmonization and correlation. Safety Regulations and
Operating Procedures established safety guidelines for using the SIEM system and implement
them. Determine how alerts and incidents will be handled, including who will be notified and
POST SIEM IMPLEMENTATION 4
how. Complete tests of the SIEM platform's ability to detect threats, generate signals, and
provide valuable data for responding to incidents were essential to the evaluation process.
Therefore, the project changed the system's preferences, rules, and notifications to address any
solution architecture for safeguarding intelligent city services. The suggested SIEM uses
blockchain technology for trustworthy record-keeping and easy retrieval of security-related data
(Botello et al., 2020). These types of security events are created by IoT sentinels, which protect
networks of IoT gadgets. This article relates to the proposed development project since
BlockSIEM also compiles security events from various IoT service providers and stores them in
changes (Botello et al., 2020). Cyber assaults on innovative city services and intelligent devices
may be quickly identified and stopped with the help of our solution's internal and external threat
Mokalled et al. (2019) presented a method to help businesses choose the best SIEM
software by outlining the technical and organizational needs that must be met and evaluating the
SIEM's suitability for quantitative and qualitative factors. In recent years, SIEM systems have
become more critical because of the increasing sophistication of cyber assaults, which may
image (Mokalled et al., 2019). This article relates to the proposed implementation project since it
recognizes data loss, system compromise, and other possible adverse outcomes of a
cybersecurity breach. Using a SIEM system is only one component of a multilayered security
POST SIEM IMPLEMENTATION 5
strategy many businesses use to protect themselves against cyberattacks (Mokalled et al., 2019).
However, installing an SIEM solution is not a one-size-fits-all process for each business; the
ideal SIEM platform for one company may not match another (Mokalled et al., 2019). A
company must go beyond the technical details when assessing an SIEM solution.
Vazao et al. (2019) contrast several SIEM "open source" solutions by conducting
bibliographical research and putting various test scenarios into practice, aiming to develop and
assess a prototype in a real-world setting. The prevalence and intricacy of computer assaults have
(Vazao et al., 2019). Similar to the proposed project, this article recognizes that the prevalence of
malicious software, malware, has been on the rise, exhibiting growth in both the frequency and
Hristov et al. (2021) provided a proposed solution for enhancing the security stance of a
business via the implementation of a system. In contemporary times, SIEM has become a
(Hristov, 2021). This article relates to the proposed project since it also recognizes that the SIEM
web/mail security appliances, and Antivirus (AV) solutions. Monitoring many systems in real-
time is a potential difficulty for security analysts operating inside a Security Operation Center
(SOC). Using Splunk, all pertinent logs are gathered and kept inside a unified instance,
facilitating the creation of a comprehensive and consolidated solution known as a "single pane of
glass" (Hristov et al., 2021). The suggested solution includes four distinct real-time alerts
POST SIEM IMPLEMENTATION 6
demonstrate the functionalities of the SIEM system (Hristov., 2021). One of the tools is specially
designed to notify the occurrence of a Mirai Internet-of-Things (IoT) malware infection inside
Al-Duwairi et al. (2019) put forward a method for detecting and mitigating Distributed
Denial of Service (DDoS) attacks in Internet of Things (IoT) botnets using a Security
Information and Event Management (SIEM) approach. The rapid proliferation of the Internet of
Things (IoT) in contemporary times, along with its integration into all facets of everyday
existence, has garnered the attention of malicious actors who want to exploit the computational
and communicative capacities of IoT devices for the execution of several forms of cyberattacks.
IoT devices include several weaknesses that may be readily exploited, resulting in the formation
of IoT botnets, including millions of devices (Al-Duwairi et al., 2019). The SIEM-based
solutions possess the capability to be configured in a manner that enables precise identification
and prevention of malicious network traffic that originates from IoT devices that have been
hacked.
suitable SIEM system. The first step involves systematically proposing the criteria to consider in
a SIEM system. Subsequently, a methodology is put out for assessing SIEM solutions, which
evaluates the conformity and suitability of any given SIEM solution. The objective of this
approach is to assist organizations that are interested in implementing SIEM systems in their
essential prerequisites for an effective SIEM system. Besides, Mokalled et al. (2020) suggested a
and compare different SIEM systems based on specific criteria. In contrast to other
customer demands is integral throughout the process (Mokalled et al., 2020). It is particularly
evident throughout the stages of requirement definition and subsequent evaluation of suppliers'
solutions.
Sizov and Kirov (2020) worked on solving the problems associated with implementing
SIEM systems in information security management. By removing unused parts of the system and
reorganizing its design, their study hoped to streamline the SIEM. Sizov and Kirov (2020)
suggested automating the SIEM system's installation and configuration by creating a technique
and associated software module. Last, Sizov and Kirov (2020) developed an integrated strategy
combining the two techniques, making the SIEM system more practical as a quickly deployable
streamline installing and configuring the SIEM system (Sizov & Kirov, 2020). Incorporating
these mechanized processes shortens the duration of SIEM system deployment, makes it easier to
carry out the operations themselves, and brings about a uniform answer for this class of SIEMs.
SIEM system implementation altered the project landscape significantly. SIEM systems
were built to track, analyze, and respond to real-time network and infrastructure security issues.
and analyzing security events, including possible threats and attacks. Consequently, security
personnel can now rapidly and efficiently identify and address security problems due to their
access to a consolidated perspective on the organization's security status. SIEM technology now
POST SIEM IMPLEMENTATION 8
such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance
Portability and Accountability Act (HIPAA), and the General Data Protection Regulation
(GDPR).
This optimal SIEM technology can now gather diverse logs originating from several
sources and standardize them before doing analysis. The tool adapts its capacity to increase or
decrease as necessary and effectively identifies potential threats using correlation analysis,
afterward generating appropriate warnings. The tool is also capable of accurately identifying
security, encompassing the whole network. If the risk score associated with a potential danger is
deemed elevated, this particular component is promptly and dynamically shown on the
dashboard, necessitating rapid remedial measures. SIEM solutions possess a versatile design to
detect attacks and effectively handle data in various forms. This architecture enables the tool to
use threat intelligence feeds and pertinent contextual information. Furthermore, the system is
Methodology
paradigm. The goal of the DevSecOps framework is to encourage collaboration between the
teams responsible for software development, system administration, and security. The security-
software development that builds safeguards and protocols from the ground up. With this
POST SIEM IMPLEMENTATION 9
method, security procedures and checks were seen as a whole. Integrate security best practices
into the CI/CD pipeline to ensure security is considered at every stage of the release process. Use
security testing tools throughout development to spot flaws and incorrect settings before
releasing the final product. Additionally, it promoted cooperation between security, development,
and operations groups to ensure that all security measures are taken throughout the
implementation phase.
The goal of centralized Security Monitoring was accomplished. FinancialUSA now has a
more secure system free from attacks. Adopting this centralized perspective enables security
teams to get a timely and accurate understanding of potential threats and vulnerabilities. Besides,
the objective of enhancing the detection and handling of threats was met. SIEM systems
provided FinancialUSA with a comprehensive perspective on their security status, facilitating the
can now monitor and document key occurrences essential to the functioning and success. Assess
the potential vulnerability of data breach occurrences inside any FinancialUSA operational
procedures. Besides, the occurrences within the FinancialUSA portfolio can be defined as the
However, the objective of economic resource utilization and cost reduction was not
achieved. Typically, SIEM solutions in the market adhere to price structures based on the number
of Events per second (EPS) or the volume of data in Gigabytes per day (GB/day). The
fundamental idea remains consistent in both instances. Sadly, data collection and analysis costs
increase proportionally with the recklessness used in the process. One of the additional
POST SIEM IMPLEMENTATION 10
advantages of using NXLog for log collection optimization tailored to individual use cases is the
reduction in the overall cost of owning and maintaining FinancialUSA SIEM infrastructure.
Therefore, it is vital to comprehend the expenses associated with adopting and operating a SIEM
Project Timeline
The project's projected time for SIEM implementation experienced deviations due to
various circumstances, including internal and external influences. These anomalies are often
known as project delays. Delays occurred due to modifications to the project scope, which was
adjustments to the timetable placed excessive demands on resources and caused the project to
exceed its projected duration. Insufficient or improperly allocated resources, such as human
POST SIEM IMPLEMENTATION 11
capital, machinery, or materials, can impede a project's advancement. A lack of enough resources
led to bottlenecks and increased time required for completion. The project timetable was affected
chain delays. Besides, inaccurate early project assessments, including projections of both time
Unanticipated Requirements
after the installation of the SIEM system. Changes such as threats, compliance rules, the nature
of organizations, and the nature of technology were all potential drivers of such needs. New
compliance obligations were introduced, and existing regulations may evolve. To ensure they
fully comply with these new regulations, FinancialUSA needed to modify its SIEM system in
some way, such as by adding new security controls or collecting and reporting on new kinds of
data. The number of security data created rose as FinancialUSA developed its digital presence.
Since more data and analysis were needed, the FinancialUSA SIEM system needed to grow.
Anticipated requirements for SIEM integration arose due to the widespread use of cutting-edge
technologies like cloud services, IoT devices, and containerized applications. These systems
generated unique log formats for tailored SIEM connections and settings. New threats and attack
methods were overlooked during the earliest stages of SIEM installation. Therefore, threat
intelligence feeds, machine learning algorithms, and user and entity behavior analytics (UEBA)
technologies are just a few ways to improve FinancialUSA SIEM's threat detection capabilities
While the advantages of SIEM are obvious, implementing it presented challenges. SIEM
systems were challenging to implement and manage because of their complexity. Firewalls,
POST SIEM IMPLEMENTATION 12
routers, web security appliances, IDS/IPS systems, UTMs, CASBs (cloud access security
brokers), and AVs (advanced malware protection) are some of the many network security
solutions used in enterprise networks. All of these parts produce a large number of warnings and
events. To successfully build a SIEM system that coordinates log aggregation, analytics, and
threat detection across a wide variety of security components, it was necessary to do extensive
discovery, planning, policy review, and fine-tuning. Besides, there was a challenge in
compatibility. A successful SIEM solution had to be compatible with all the systems and
software used on the network, including the OS, applications, databases, servers, routers,
switches, and security appliances. Therefore, this project integrated smoothly with preexisting
network security and management capabilities, such as endpoint protection, to get the most out
of a SIEM system.
Conclusions
sector, has transformed its security posture by adopting a SIEM system. There is now a higher
level of security in place. FinancialUSA's security has tightened due to the SIEM system. With
its help, a company may keep tabs on security-related happenings, investigate them for dangers,
and act swiftly and decisively. The SIEM system's capacity to detect, rank, and streamline the
investigation of security issues has allowed FinancialUSA to improve its response time. Real-
time Monitoring is one of the direct outcomes of a successful SIEM deployment. Now that
FinancialUSA can see its security environment in real-time, it can respond more effectively to
security events and threats. FinancialUSA can now identify and prevent more sophisticated and
persistent security threats. Because of the SIEM system's flexibility, threats may always be
identified and dealt with. The project's goal of bolstering the company's security measures has
POST SIEM IMPLEMENTATION 13
been successfully attained. Therefore, FinancialUSA's SIEM installation project succeeded since
it accomplished its goals, increased security, and prepared the company for future security
difficulties.
Project Deliverables
process will be well-planned, executed, and documented to fulfill security and compliance
requirements and provide a road map for future operation and maintenance. Requirements
Document specifies not only what the SIEM needs to be able to do, such as collect, correlate, and
report on logs, but also how effectively it needs to do these things in terms of performance,
scalability, and availability. It included the General Data Protection Legislation (GDPR), the
Health Insurance Portability and Accountability Act (HIPAA), and other industry-specific rules
the SIEM must follow. Data Source Identification as a deliverable: All possible data sources that
might flow into the SIEM were identified and listed for this deliverable. Routers, switches, web
servers, database servers, intrusion detection and prevention systems (IDS/IPS), endpoints
(workstations, laptops), and applications (CRM systems, email servers) are all potential data
sources. The data sources used to evaluate vital assets are indicated.
Moreover, the deliverable of the Data Collection and Normalization Plan: Data
preparation, are all included in this strategy. It has to explain how various log formats, protocols,
and data normalization procedures may be integrated into a unified whole. Information storage
and backup schedules, as well as archiving protocols, are outlined. Besides, Integration with
Existing Systems: The SIEM solution's integration with preexisting security technologies and IT
POST SIEM IMPLEMENTATION 14
infrastructure is the focus of this deliverable. It details the protocols, configurations, and
integration points, allowing uninterrupted data transfer across systems. It is a necessary step for
the SIEM to collect and analyze data from preexisting security measures.
In addition, Customization and Use Case Development: Modifying a SIEM to fit unique
needs is what we mean by "customization." To successfully identify and react to security issues,
it is necessary to create custom rules, alerts, and correlation logic. Altering the SIEM's settings to
include threat intelligence feeds and anomaly detection methods is also part of the customization
process. Security teams can monitor and analyze data in a graphical style due to dashboards and
reports tailored to their needs. Besides, the incident response plan details how the SIEM will
identify and respond to security problems: It establishes escalation methods, classifies events
according to severity, and offers specific workflows for handling various issues. The external and
internal contacts for the incident response team are also included in this deliverable. Besides, the
Incident Response Plan deliverable details the steps to be taken during a security incident,
including using the SIEM system. Detailed incident processes, severity classification, and
defined escalation protocols are also provided. Information on contacting members of the
incident response team and other outside parties is also included in this deliverable. For instance,
the simplified flowchart (See Appendix A) depicts a SIEM triggered alerting and incident
response procedure. Depending on factors like company size, sector, and required level of
security, actual designs might vary widely. Your organization's specific needs should be reflected
in the flowchart and associated procedures, and any relevant regulatory compliance requirements
The SIEM administrators and analysts using it will be trained using a thorough program
outlined in the User Training Plan. The program includes training materials, session times,
POST SIEM IMPLEMENTATION 15
practical assignments, and test-taking procedures to understand SIEM architecture (See Appendix
B). Certification at the end of the training program may guarantee that employees have the skills
to run the SIEM efficiently. Manuals and other forms of documentation: The SIEM's user manual
and administrative guide are included in this package. The SIEM has user guidelines that walk
employees through typical activities, troubleshooting guides that help FinancialUSA fix common
problems, and maintenance procedures that keep everything running correctly. Users will be able
to make full use of the SIEM's features and overcome operational hurdles with the help of this
documentation.
POST SIEM IMPLEMENTATION 16
References
Al-Duwairi, B., Al-Kahla, W., AlRefai, M. A., Abedalqader, Y., Rawash, A., & Fahmawi, R.
https://doi.org/10.11591/ijece.v10i2.pp2182-2191
Botello, J. V., Mesa, A. P., Rodríguez, F. A., Díaz-López, D., Nespoli, P., & Mármol, F. G.
Hristov, M., Nenova, M., Iliev, G., & Avresky, D. (2021). Integration of Splunk Enterprise Siem
for DDoS attack detection in IOT. 2021 IEEE 20th International Symposium on Network
Mokalled, H., Catelli, R., Casola, V., Debertol, D., Meda, E., & Zunino, R. (2019). The
Mokalled, H., Catelli, R., Casola, V., Debertol, D., Meda, E., & Zunino, R. (2020). The
46–70. https://doi.org/10.4236/jis.2020.111003
Sizov, V. A., & Kirov, A. D. (2020). Problems of implementing SIEM systems in the practice of
https://doi.org/10.21686/1818-4243-2020-1-69-79
POST SIEM IMPLEMENTATION 17
Vazao, A., Santos, L., Piedade, M. B., & Rabadao, C. (2019). Siem Open Source Solutions: A
Appendix A
Appendix B