University of Exeter - Zero to SIEM in 8 weeks
Release Date: 06/01/20
Author: Baz Donoghue - Certified Splunk Consultant
The first and subsequent steps on any organisation’s IT Security journey can be difficult and uncertain at the best of times. To go from little or no security use cases and consolidated view of your security landscape, to a fully implemented SIEM solution is a challenging undertaking. Throw into the mix a compressed timeframe for planning and implementation, this makes an already precarious task all the more formidable.
This is exactly what University of Exeter (UoE) did with their Splunk Enterprise Security Implementation, along with expert support and services provided by Somerford Associates.
Picking up where we left off from the previous blog, we will be exploring how the above is maintained through a culture of Rationalise, Rectify and Reassess, as well as how to leverage data source analysis to identify potentially viable use cases.
Data Source Analysis: Art of the (currently) possible!
- As per our previous blogs we explained how it was essential for use cases to be aligned against user stories to fully understand the viability of our use cases.
- However, value can also be attained by gaining an understanding of how to further leverage the data sources already available to us. This can be carried out in several different ways, from in-depth bottom up data source modeling and threat mapping, to utilising tools like Splunk Security Essentials to gain some quick wins with data usability and utilisation.
Rationalise, Rectify and Reassess.
- A key activity in producing, realising and maintaining successful security use cases is ensuring that process is put in place to constantly revisit and review each user story in a bid to make sure that they are still relevant, required and appropriate.
- This means that there MUST be a review cycle in place to ensure that this content is revisited on a regular basis not only to ensure that the data is still relevant and available but that the use case is actually fit for purpose or still relevant.
- This review process could be something as simple as a weekly “Use case review” board, which looks at any required, extant and legacy use cases along with available data sources to see if new use cases can be realised, current use cases can be tuned or enriched with newly available data or if legacy use cases can be decommissioned or altered to be more relevant.
- The ultimate goal from a security context would be to work towards including such a review process into a more widely reaching “Target Operating Model” which outlines all of the process, people and technology relationships and interactions to better manage and maintain an ever adapting and improving security picture and supporting operations.
Not sure how to contact us?
Schedule a call with one of our certified engineers and pre sales team. Or drop us a line if you have any questions.