We hear from hundreds of people who don't have a SIEM. Some ask us where to start. They've heard about starting at the “risk vs. compliance” decision point. However, we think that may be a distraction, perhaps even disingenuous to people new to SIEM. Such a statement obscures a critical, core element of security information and event management that people new to the process need to know about.
SIEMs and the use-cases that drive their deployment are very complex. Their complexities often overshadow a hidden complexity until too late, when the budget is gone and the primary use-case is unresolved.
Security tools exist to secure something. SIEMs should monitor that something. What is it? Information. The OS, firewall, router tables—all that is a secondary, or perhaps even tertiary target. Organizations must secure and closely monitor information inside their applications. Therefore, any SIEM solution you propose to buy should include the middle-ware that all SIEMs need to monitor the information the bad guys want.
The last thing a CTO or CIO wants to hear, after exhausting the budget to get the SIEM running, is that the audit logs from mission critical apps like Exchange, SharePoint and SQL Server are missing from the story. At the end of the day, the most valuable bytes are the combined bytes of sensitive information stored in enterprise applications. The rest is just data.
So, if you are looking for a SIEM solution, where should you start?
Start by looking for the SIEMs that have integrations you can trust to get the application audit logs where they belong. Our suggestion: the only SIEMs to consider are the SIEMs with LOGbinder integration. Start there, and then start the evaluation process that suits your needs.
Technical features coming to Exchange auditing
Many of you may have attended or downloaded the Exchange mailbox auditing Ultimate Windows Security webinar last month. (Here's the link if you didn't.) We described how to configure Exchange auditing, and some of the complexities of the audit process. We also showed you a beta version of an upcoming LOGbinder EX 3.0 release. The update is still being tested, but thought we'd include a partial list of the new features.
- Mailbox Audit Policy Wizard. This is the big news of the new release. For any of you that have configured Exchange Mailbox Auditing via PowerShell, you know this can be very tedious and time consuming. It no longer has to be. Using the built in Mailbox Audit Policy wizard, LOGbinder will configure audit policy on mailboxes that are members of selected groups or organizational units. You may select groups, organizational units, or both. Keep in mind it is best to use a fewer number of groups/units, since the greater number of groups/units, the longer it will take LOGbinder to examine them.
- Mailbox Audit Policy Enforcement. Once a day, LOGbinder service will check audit policy on mailboxes that are members of selected groups or organizational units. If policy does not match, LOGbinder will set audit policy, afterward reporting on the results.
- Recipient for audit emails. Since Exchange will send audit logs via email, it must use a mailbox as an intermediate step to audit logs processing. In the past (and currently), the address had to be the default administrator mailbox. Now with LOGbinder EX 3.0, use any email address, provided it has permissions to receive audit logs and the LOGbinder service has access to the mailbox's items.
- Processing of new Exchange audit events. Added events 25661-25686, from Exchange service packs.
- Adjusted formatting of events. For events that list mail items, instead of including redundant XML, extract the subject lines of each item and present as a list.
Customers with current support and maintenance contracts will receive this update at no additional cost. Which is an incredible value.