Implementing a SIEM can be a complex and costly process. Many organizations fail to realize the full potential of their SIEM because they fail to capture the right logs. Others get mired in voluminous logs of little significance. Most also miss out on what is potentially the most useful log source of all, individual endpoints. SIEM vendors are equally to blame for failing to deliver on their promises to interpret and correlate logs.
Two years ago we started on a SIEM implementation project with a lofty goal: to collect logs from every endpoint on our network. We have nearly reached our goal and learned a lot of lessons along the way. In this presentation we will present lessons learned, unique correlations we have devised, suggestions for vendors to improve their logging, and suggestions for SIEM vendors to improve their products without using the words threat intelligence.
Aaron Beuhring has over 13 years of IT experience. He enjoys correcting configurations and occasionally misconfiguring things as well.
Kyle Salous has over 10 years of IT Security experience. He enjoys doing more with less while keeping the bad guys on their toes.