2012年3月30日,SearchSecurity UK发表了一篇文章——SIEM deployment case study shows patience is required,再次通过一个真实的案例告诉了我们实施SIEM并非易事,需要一个较为长期的持续改善的过程。
这个案例中的客户选型SIEM花了4个月,而部署实施SIEM从去年年至今尚未结束。项目负责人表示, “People think that by installing SIEM it will fix everything, but no, there is a lot of work involved to ensure it works effectively,”
在提及项目中遇到的挑战的时候,项目负责人表示,如果日志源设备的日志配置不恰当,那么SIEM系统将会块被日志搞瘫痪。他还说,即便现在他的Juniper边界防火墙的日志量是80EPS,但他依然不满意,表示还将继续优化。【注:根据我手头的一份资料显示,在国外,一般会将边界FW的日志量优化到日均值30EPS,遭受***时的均值也不过500EPS。相比于国内,我们还是有差距的】
SIEM系统运维的要求也是比较高的,项目负责人说“We have one guy who spends four or five hours a week tuning and tweaking the SIEM, getting rid of false positives.”此外,“You have to go through all the rules and make decisions about what you do and don’t want to trigger an event, and that takes a lot of time,” 他说, “Then each rule has to be written into your policy, with the reasons for doing it, so someone else can see why a decision was made, especially if you get a breach.”
SIEM无疑是有用的,“Any good information security person will want to know what’s going on in their network,” he said. “SIEM can help provide the visibility you need. It is a very powerful and useful tool, but it’s not a silver bullet. You still need to do the work.”但是SIEM只是一个工具,它不是网络安全的银弹。
【参考】