Running Head: POST SIEM IMPLEMENTATION 1

IT Capstone Written Project: Post SIEM Implementation

Author's Full Name

POST SIEM IMPLEMENTATION 2

Table of Contents

Summary..........................................................................................................................................3
Review of Other Work.....................................................................................................................4
Changes to the Project Environment...............................................................................................7
Methodology....................................................................................................................................8
Project Goals and Objectives...........................................................................................................9
Project Timeline.............................................................................................................................10
Unanticipated Requirements..........................................................................................................11
Conclusions....................................................................................................................................12
Project Deliverables.......................................................................................................................13
References......................................................................................................................................16
Appendix A....................................................................................................................................18
Flowchart of Alerting and Incident Response by a SIEM.........................................................18
Appendix B....................................................................................................................................19
Understanding the SIEM Architecture.......................................................................................19
POST SIEM IMPLEMENTATION 3

Summary

The project occurred in Cloud-based software as a service (SaaS) provider FinancialUSA,

which serves the banking industry. The necessity for PCI compliance and implementing a

Security Information and Event Management (SIEM) solution arose because of the introduction

of new functionality to the application. Logs and data from any system, app, or device may be

sent to a monitoring and alerting system. A SIEM is an all-encompassing approach to managing

security that combines the two formerly separate disciplines of SIM and SEM. As a phonetic

pronunciation, SIEM is pronounced as "sim," with the 'e' being dropped. All SIEM systems are

built on the foundational ideas of collecting relevant data from several sources, identifying

deviations from norms, and responding appropriately. A SIEM may log supplemental data,

generate a message, and command other security measures to stop the progression of a specific

action if a potential threat is detected. Compliance with the Payment Card Industry Data Security

Standard first drove using SIEM systems in large organizations. Since FinancialUSA is

increasingly concerned about these advanced, persistent attacks, the company is seriously

exploring the benefits of using a SIEM system. Centralizing security-related data into a single

view improves the organization's capacity to spot unusual patterns.

During the deployment phase, which focuses on incorporating the SIEM solution into the

existing IT infrastructure, the goals were achieved by installing the SIEM system on the

necessary devices and establishing any prerequisites, such as software, hardware, agents, or

connections. To accurately analyze and correlate events from several sources, the project

configured the system to ensure data harmonization and correlation. Safety Regulations and

Operating Procedures established safety guidelines for using the SIEM system and implement

them. Determine how alerts and incidents will be handled, including who will be notified and
POST SIEM IMPLEMENTATION 4

how. Complete tests of the SIEM platform's ability to detect threats, generate signals, and

provide valuable data for responding to incidents were essential to the evaluation process.

Therefore, the project changed the system's preferences, rules, and notifications to address any

issues discovered via testing and user input.

Review of Other Work

Botello et al. (2020) proposed a BlockSIEM, a distributed and blockchain-based SIEM

solution architecture for safeguarding intelligent city services. The suggested SIEM uses

blockchain technology for trustworthy record-keeping and easy retrieval of security-related data

(Botello et al., 2020). These types of security events are created by IoT sentinels, which protect

networks of IoT gadgets. This article relates to the proposed development project since

BlockSIEM also compiles security events from various IoT service providers and stores them in

the immutable distributed ledger of a blockchain, making them impervious to unauthorized

changes (Botello et al., 2020). Cyber assaults on innovative city services and intelligent devices

may be quickly identified and stopped with the help of our solution's internal and external threat

intelligence, which also issues an immediate warning when an attack is in progress.

Mokalled et al. (2019) presented a method to help businesses choose the best SIEM

software by outlining the technical and organizational needs that must be met and evaluating the

SIEM's suitability for quantitative and qualitative factors. In recent years, SIEM systems have

become more critical because of the increasing sophistication of cyber assaults, which may

disrupt business operations, compromise sensitive information, and damage an organization's

image (Mokalled et al., 2019). This article relates to the proposed implementation project since it

recognizes data loss, system compromise, and other possible adverse outcomes of a

cybersecurity breach. Using a SIEM system is only one component of a multilayered security
POST SIEM IMPLEMENTATION 5

strategy many businesses use to protect themselves against cyberattacks (Mokalled et al., 2019).

However, installing an SIEM solution is not a one-size-fits-all process for each business; the

ideal SIEM platform for one company may not match another (Mokalled et al., 2019). A

company must go beyond the technical details when assessing an SIEM solution.

Vazao et al. (2019) contrast several SIEM "open source" solutions by conducting

bibliographical research and putting various test scenarios into practice, aiming to develop and

assess a prototype in a real-world setting. The prevalence and intricacy of computer assaults have

increased, necessitating using SIEM technologies to manage associated risks. It is crucial as

organizations increasingly depend on computer systems to facilitate their operational endeavors

(Vazao et al., 2019). Similar to the proposed project, this article recognizes that the prevalence of

malicious software, malware, has been on the rise, exhibiting growth in both the frequency and

intricacy of its functionality that necessitates redress in an organization.

Hristov et al. (2021) provided a proposed solution for enhancing the security stance of a

business via the implementation of a system. In contemporary times, SIEM has become a

prevalent component in the security infrastructure of large and medium-sized enterprises

(Hristov, 2021). This article relates to the proposed project since it also recognizes that the SIEM

system is increasingly recognized as an integral component of defensive strategies, alongside

firewalls, network Intrusion Prevention Systems / Intrusion Detection Systems (IPS/IDS),

web/mail security appliances, and Antivirus (AV) solutions. Monitoring many systems in real-

time is a potential difficulty for security analysts operating inside a Security Operation Center

(SOC). Using Splunk, all pertinent logs are gathered and kept inside a unified instance,

facilitating the creation of a comprehensive and consolidated solution known as a "single pane of

glass" (Hristov et al., 2021). The suggested solution includes four distinct real-time alerts
POST SIEM IMPLEMENTATION 6

designed to identify various instances of potentially suspicious or malicious behavior to

demonstrate the functionalities of the SIEM system (Hristov., 2021). One of the tools is specially

designed to notify the occurrence of a Mirai Internet-of-Things (IoT) malware infection inside

the organizational framework.

Al-Duwairi et al. (2019) put forward a method for detecting and mitigating Distributed

Denial of Service (DDoS) attacks in Internet of Things (IoT) botnets using a Security

Information and Event Management (SIEM) approach. The rapid proliferation of the Internet of

Things (IoT) in contemporary times, along with its integration into all facets of everyday

existence, has garnered the attention of malicious actors who want to exploit the computational

and communicative capacities of IoT devices for the execution of several forms of cyberattacks.

IoT devices include several weaknesses that may be readily exploited, resulting in the formation

of IoT botnets, including millions of devices (Al-Duwairi et al., 2019). The SIEM-based

solutions possess the capability to be configured in a manner that enables precise identification

and prevention of malicious network traffic that originates from IoT devices that have been

hacked.

Mokalled et al. (2020) presented a methodology for assisting organizations in choosing a

suitable SIEM system. The first step involves systematically proposing the criteria to consider in

a SIEM system. Subsequently, a methodology is put out for assessing SIEM solutions, which

evaluates the conformity and suitability of any given SIEM solution. The objective of this

approach is to assist organizations that are interested in implementing SIEM systems in their

operational settings. It proposes appropriate solutions to meet the requirements considered

essential prerequisites for an effective SIEM system. Besides, Mokalled et al. (2020) suggested a

comprehensive evaluation process incorporating quantitative and qualitative methods to assess

POST SIEM IMPLEMENTATION 7

and compare different SIEM systems based on specific criteria. In contrast to other

methodologies, this approach is characterized by its client-centric nature, whereby considering

customer demands is integral throughout the process (Mokalled et al., 2020). It is particularly

evident throughout the stages of requirement definition and subsequent evaluation of suppliers'

solutions.

Sizov and Kirov (2020) worked on solving the problems associated with implementing

SIEM systems in information security management. By removing unused parts of the system and

reorganizing its design, their study hoped to streamline the SIEM. Sizov and Kirov (2020)

suggested automating the SIEM system's installation and configuration by creating a technique

and associated software module. Last, Sizov and Kirov (2020) developed an integrated strategy

combining the two techniques, making the SIEM system more practical as a quickly deployable

solution. These suggestions focused on developing and implementing automated processes to

streamline installing and configuring the SIEM system (Sizov & Kirov, 2020). Incorporating

these mechanized processes shortens the duration of SIEM system deployment, makes it easier to

carry out the operations themselves, and brings about a uniform answer for this class of SIEMs.

Changes to the Project Environment

SIEM system implementation altered the project landscape significantly. SIEM systems

were built to track, analyze, and respond to real-time network and infrastructure security issues.

Currently, there is an improved security posture in the FinancialUSA organization. SIEM

technology offered FinancialUSA organization specific capabilities for identifying, monitoring,

and analyzing security events, including possible threats and attacks. Consequently, security

personnel can now rapidly and efficiently identify and address security problems due to their

access to a consolidated perspective on the organization's security status. SIEM technology now
POST SIEM IMPLEMENTATION 8

serves the purpose of fulfilling compliance obligations as stipulated by regulatory frameworks

such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance

Portability and Accountability Act (HIPAA), and the General Data Protection Regulation

(GDPR).

This optimal SIEM technology can now gather diverse logs originating from several

sources and standardize them before doing analysis. The tool adapts its capacity to increase or

decrease as necessary and effectively identifies potential threats using correlation analysis,

afterward generating appropriate warnings. The tool is also capable of accurately identifying

occurrences and preventing assaults. Dashboards exhibit contemporaneous insights about

security, encompassing the whole network. If the risk score associated with a potential danger is

deemed elevated, this particular component is promptly and dynamically shown on the

dashboard, necessitating rapid remedial measures. SIEM solutions possess a versatile design to

detect attacks and effectively handle data in various forms. This architecture enables the tool to

use threat intelligence feeds and pertinent contextual information. Furthermore, the system is

adaptable to effectively cater to the FinancialUSA organization's requirements, regardless of its

operational setting, whether cloud-based, on-premise, or a combination of both.

Methodology

The execution of this project at FinancialUSA followed the DevSecOps approach

paradigm. The goal of the DevSecOps framework is to encourage collaboration between the

teams responsible for software development, system administration, and security. The security-

focused character of SIEM implementation is mirrored in the methodology's incorporation of

security measures at each step of software development. "Security as Code" is an approach to

software development that builds safeguards and protocols from the ground up. With this
POST SIEM IMPLEMENTATION 9

method, security procedures and checks were seen as a whole. Integrate security best practices

into the CI/CD pipeline to ensure security is considered at every stage of the release process. Use

security testing tools throughout development to spot flaws and incorrect settings before

releasing the final product. Additionally, it promoted cooperation between security, development,

and operations groups to ensure that all security measures are taken throughout the

implementation phase.

Project Goals and Objectives

The goal of centralized Security Monitoring was accomplished. FinancialUSA now has a

more secure system free from attacks. Adopting this centralized perspective enables security

teams to get a timely and accurate understanding of potential threats and vulnerabilities. Besides,

the objective of enhancing the detection and handling of threats was met. SIEM systems

provided FinancialUSA with a comprehensive perspective on their security status, facilitating the

identification of potential threats, prompt incident response, and adherence to regulatory

obligations. The objective of management of regulatory compliance was achieved. FinancialUSA

can now monitor and document key occurrences essential to the functioning and success. Assess

the potential vulnerability of data breach occurrences inside any FinancialUSA operational

procedures. Besides, the occurrences within the FinancialUSA portfolio can be defined as the

most significant threats based on their respective risk levels.

However, the objective of economic resource utilization and cost reduction was not

achieved. Typically, SIEM solutions in the market adhere to price structures based on the number

of Events per second (EPS) or the volume of data in Gigabytes per day (GB/day). The

fundamental idea remains consistent in both instances. Sadly, data collection and analysis costs

increase proportionally with the recklessness used in the process. One of the additional
POST SIEM IMPLEMENTATION 10

advantages of using NXLog for log collection optimization tailored to individual use cases is the

reduction in the overall cost of owning and maintaining FinancialUSA SIEM infrastructure.

Therefore, it is vital to comprehend the expenses associated with adopting and operating a SIEM

solution before determining its implementation.

Project Timeline

Milestone or Duration Projected Start Projected End Actual End

deliverable (hours or days) Date Date Date
Define the
2 days 3/26/2023 3/28/2023 3/28/2023
Requirements
Plan for
3 days 3/28/2023 4/01/2023 4/0/2023
Implementation
Documentation
7 days 4/01/2023 4/8/2023 4/8/2023
Infrastructure
3 days 4/8/2023 4/11/2023 4/11/2023
Automation
Incident Response
4 days 4/11/2023 4/15/2023 4/15/2023
Automation
Execute Deployment
11 days 4/15/2023 4/26/2023 4/26/2023
and Conduct Review
Follow-up After
90 days 4/26/2023 7/26/2023 7/26/2023
Implementation
Continuous Learning
60 days 4/26/2023 6/26/2023 6/26/2023
and Improvement
Email employee
instructional 2 days 6/26/2023 6/28/2023 7/01/2023
information
Meeting – Project
5 hours 6/28/2023 6/28/2023 7/02/2023
End

The project's projected time for SIEM implementation experienced deviations due to

various circumstances, including internal and external influences. These anomalies are often

known as project delays. Delays occurred due to modifications to the project scope, which was

prompted by internal initiatives. Broadening the scope without making corresponding

adjustments to the timetable placed excessive demands on resources and caused the project to

exceed its projected duration. Insufficient or improperly allocated resources, such as human
POST SIEM IMPLEMENTATION 11

capital, machinery, or materials, can impede a project's advancement. A lack of enough resources

led to bottlenecks and increased time required for completion. The project timetable was affected

by unforeseen circumstances or potential hazards, such as economic fluctuations and supply

chain delays. Besides, inaccurate early project assessments, including projections of both time

and resources, engendered impractical expectations and timetables.

Unanticipated Requirements

Because of the complexity involved, unanticipated requirements emerged during and

after the installation of the SIEM system. Changes such as threats, compliance rules, the nature

of organizations, and the nature of technology were all potential drivers of such needs. New

compliance obligations were introduced, and existing regulations may evolve. To ensure they

fully comply with these new regulations, FinancialUSA needed to modify its SIEM system in

some way, such as by adding new security controls or collecting and reporting on new kinds of

data. The number of security data created rose as FinancialUSA developed its digital presence.

Since more data and analysis were needed, the FinancialUSA SIEM system needed to grow.

Anticipated requirements for SIEM integration arose due to the widespread use of cutting-edge

technologies like cloud services, IoT devices, and containerized applications. These systems

generated unique log formats for tailored SIEM connections and settings. New threats and attack

methods were overlooked during the earliest stages of SIEM installation. Therefore, threat

intelligence feeds, machine learning algorithms, and user and entity behavior analytics (UEBA)

technologies are just a few ways to improve FinancialUSA SIEM's threat detection capabilities

and remain one step ahead of attackers.

While the advantages of SIEM are obvious, implementing it presented challenges. SIEM

systems were challenging to implement and manage because of their complexity. Firewalls,
POST SIEM IMPLEMENTATION 12

routers, web security appliances, IDS/IPS systems, UTMs, CASBs (cloud access security

brokers), and AVs (advanced malware protection) are some of the many network security

solutions used in enterprise networks. All of these parts produce a large number of warnings and

events. To successfully build a SIEM system that coordinates log aggregation, analytics, and

threat detection across a wide variety of security components, it was necessary to do extensive

discovery, planning, policy review, and fine-tuning. Besides, there was a challenge in

compatibility. A successful SIEM solution had to be compatible with all the systems and

software used on the network, including the OS, applications, databases, servers, routers,

switches, and security appliances. Therefore, this project integrated smoothly with preexisting

network security and management capabilities, such as endpoint protection, to get the most out

of a SIEM system.

Conclusions

FinancialUSA, a cloud-based Software as a Service (SaaS) provider for the banking

sector, has transformed its security posture by adopting a SIEM system. There is now a higher

level of security in place. FinancialUSA's security has tightened due to the SIEM system. With

its help, a company may keep tabs on security-related happenings, investigate them for dangers,

and act swiftly and decisively. The SIEM system's capacity to detect, rank, and streamline the

investigation of security issues has allowed FinancialUSA to improve its response time. Real-

time Monitoring is one of the direct outcomes of a successful SIEM deployment. Now that

FinancialUSA can see its security environment in real-time, it can respond more effectively to

security events and threats. FinancialUSA can now identify and prevent more sophisticated and

persistent security threats. Because of the SIEM system's flexibility, threats may always be

identified and dealt with. The project's goal of bolstering the company's security measures has
POST SIEM IMPLEMENTATION 13

been successfully attained. Therefore, FinancialUSA's SIEM installation project succeeded since

it accomplished its goals, increased security, and prepared the company for future security

difficulties.

Project Deliverables

The comprehensive understanding of each project deliverable for a SIEM solution

implementation provided by the detailed explanations guarantees that the implementation

process will be well-planned, executed, and documented to fulfill security and compliance

requirements and provide a road map for future operation and maintenance. Requirements

Document specifies not only what the SIEM needs to be able to do, such as collect, correlate, and

report on logs, but also how effectively it needs to do these things in terms of performance,

scalability, and availability. It included the General Data Protection Legislation (GDPR), the

Health Insurance Portability and Accountability Act (HIPAA), and other industry-specific rules

the SIEM must follow. Data Source Identification as a deliverable: All possible data sources that

might flow into the SIEM were identified and listed for this deliverable. Routers, switches, web

servers, database servers, intrusion detection and prevention systems (IDS/IPS), endpoints

(workstations, laptops), and applications (CRM systems, email servers) are all potential data

sources. The data sources used to evaluate vital assets are indicated.

Moreover, the deliverable of the Data Collection and Normalization Plan: Data

collection, transformation, and normalization for consistency, as well as SIEM analysis

preparation, are all included in this strategy. It has to explain how various log formats, protocols,

and data normalization procedures may be integrated into a unified whole. Information storage

and backup schedules, as well as archiving protocols, are outlined. Besides, Integration with

Existing Systems: The SIEM solution's integration with preexisting security technologies and IT
POST SIEM IMPLEMENTATION 14

infrastructure is the focus of this deliverable. It details the protocols, configurations, and

integration points, allowing uninterrupted data transfer across systems. It is a necessary step for

the SIEM to collect and analyze data from preexisting security measures.

In addition, Customization and Use Case Development: Modifying a SIEM to fit unique

needs is what we mean by "customization." To successfully identify and react to security issues,

it is necessary to create custom rules, alerts, and correlation logic. Altering the SIEM's settings to

include threat intelligence feeds and anomaly detection methods is also part of the customization

process. Security teams can monitor and analyze data in a graphical style due to dashboards and

reports tailored to their needs. Besides, the incident response plan details how the SIEM will

identify and respond to security problems: It establishes escalation methods, classifies events

according to severity, and offers specific workflows for handling various issues. The external and

internal contacts for the incident response team are also included in this deliverable. Besides, the

Incident Response Plan deliverable details the steps to be taken during a security incident,

including using the SIEM system. Detailed incident processes, severity classification, and

defined escalation protocols are also provided. Information on contacting members of the

incident response team and other outside parties is also included in this deliverable. For instance,

the simplified flowchart (See Appendix A) depicts a SIEM triggered alerting and incident

response procedure. Depending on factors like company size, sector, and required level of

security, actual designs might vary widely. Your organization's specific needs should be reflected

in the flowchart and associated procedures, and any relevant regulatory compliance requirements

should also be incorporated.

The SIEM administrators and analysts using it will be trained using a thorough program

outlined in the User Training Plan. The program includes training materials, session times,
POST SIEM IMPLEMENTATION 15

practical assignments, and test-taking procedures to understand SIEM architecture (See Appendix

B). Certification at the end of the training program may guarantee that employees have the skills

to run the SIEM efficiently. Manuals and other forms of documentation: The SIEM's user manual

and administrative guide are included in this package. The SIEM has user guidelines that walk

employees through typical activities, troubleshooting guides that help FinancialUSA fix common

problems, and maintenance procedures that keep everything running correctly. Users will be able

to make full use of the SIEM's features and overcome operational hurdles with the help of this

documentation.
POST SIEM IMPLEMENTATION 16

References

Al-Duwairi, B., Al-Kahla, W., AlRefai, M. A., Abedalqader, Y., Rawash, A., & Fahmawi, R.

(2020). Siem-based detection and mitigation of IOT-botnet DDoS attacks. International

Journal of Electrical and Computer Engineering (IJECE), 10(2), 2182.

https://doi.org/10.11591/ijece.v10i2.pp2182-2191

Botello, J. V., Mesa, A. P., Rodríguez, F. A., Díaz-López, D., Nespoli, P., & Mármol, F. G.

(2020). Blocksiem: Protecting smart city services through a blockchain-based and

distributed Siem. Sensors, 20(16), 4636. https://doi.org/10.3390/s20164636

Hristov, M., Nenova, M., Iliev, G., & Avresky, D. (2021). Integration of Splunk Enterprise Siem

for DDoS attack detection in IOT. 2021 IEEE 20th International Symposium on Network

Computing and Applications (NCA). https://doi.org/10.1109/nca53618.2021.9685977

Mokalled, H., Catelli, R., Casola, V., Debertol, D., Meda, E., & Zunino, R. (2019). The

applicability of a SIEM solution: Requirements and evaluation. 2019 IEEE 28th

International Conference on Enabling Technologies: Infrastructure for Collaborative

Enterprises (WETICE). https://doi.org/10.1109/wetice.2019.00036

Mokalled, H., Catelli, R., Casola, V., Debertol, D., Meda, E., & Zunino, R. (2020). The

guidelines to adopt an applicable Siem solution. Journal of Information Security, 11(01),

46–70. https://doi.org/10.4236/jis.2020.111003

Sizov, V. A., & Kirov, A. D. (2020). Problems of implementing SIEM systems in the practice of

managing information security of Economic Entities. Open Education, 24(1), 69–79.

https://doi.org/10.21686/1818-4243-2020-1-69-79
POST SIEM IMPLEMENTATION 17

Vazao, A., Santos, L., Piedade, M. B., & Rabadao, C. (2019). Siem Open Source Solutions: A

Comparative Study. 2019 14th Iberian Conference on Information Systems and

Technologies (CISTI). https://doi.org/10.23919/cisti.2019.8760980

POST SIEM IMPLEMENTATION 18

Appendix A

Flowchart of Alerting and Incident Response by a SIEM

POST SIEM IMPLEMENTATION 19

Appendix B

Understanding the SIEM Architecture