SIEM’s Redline
I’m a car guy. I’ve always loved things that go fast. I saw pictures this week of the 2012 Boss Mustang and started drooling. It comes from the factory with 440 HP and a top speed of 155 MPH. This car is designed to drive fast, but I wonder… how long would it last if you were able to get on a track and keep it up over 130 MPH? How long would it be able to keep that pace before things started to fail, a day, a week, a month?
SIEM (used interchangeably for Security Information Event Management or Log Management for the purposes of this article) specs are like this as well. You look at the product literature and it says it can handle 6000 events per second when the hardware is spec’d a certain way. You really need to understand that in most cases, that’s a best case scenario and usually meant as a peak event rate, not a sustained event rate. This is a pain point on a current project where the product literature and actual real world statistics don’t match.
Even if you spec your system to be a Le Mans car; these are designed to run full speed for 24 hours, but they also cost several million dollars each and get rebuilt after each race. Do yourself a favor and always underestimate what the tool can handle and over estimate what your event rate is. It’s never a good practice to run anything near redline for long periods of time… Even a sports car.
What’s Needed?
Sizing the database is a key factor in SIEM success. We have created a tool to easily calculate the storage requirements for your SIEM/Novell Sentinel Deployment.
Click below for our SIEM Storage Requirement Calculator to help calculate database sizing.
Related Articles That Might Interest You
Free Whitepaper: Stop Wasting Money on Penetration Testing
Penetration Testing is most frequently performed to:
- Substantiate the net effectiveness of a mature control environment
- Prove to a third party that an environment is secure/trustworthy
- Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
- To validate that significant changes did not have unanticipated results
Best Practices for Firing A Network Security Administrator
Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.
Download: Information Security Attestation Guide
A Best-Practices Guide to Information Security Attestation
Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.
Free Download: ISO 27001 Implementation Roadmap
Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.
Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!
Free Whitepaper: Five Best Practices for SIEM
The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.
Is ISO 27001 Right for (Y)our Organization?
Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar
- How to deal with increasing threats
- How to manage multiple regulatory requirements
- How to handle client requests for attestation
- To validate that significant changes did not have unanticipated results
Free Download: A Best Practices Guide to Database Security
Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
About the Author:
MIke Gargiullo - Senior Security Consultant