How would YOU architect a SIEM deployment for this FICTITIOUS (but real-world-inspired …) large corporate environment:
- About 30,000 events/second ongoing rate (this is NOT a peak rate, but a rate measured and then averaged over the course of 24 hours)
- 15 separate sites, most in US but some in Europe and Asia; a few datacenters and a few regional offices (large and small)
- Log source mix is a diverse blend of firewalls, network devices, NIPS, Windows servers, Unix/Linux servers, web proxies, and also web servers and select database servers
- Retention policy is 30 days for log data used for operational security analysis and 1 year for searchable full archives
- The use case is a combination of near-real-time monitoring (via correlation rules and whatever other analytic features the SIEM has) AND incident investigations (via searches, reports and whatever store data analytics the SIEM has) + maybe some compliance reports to spice it up The monitoring efforts will focus on both outside attackers, malware as well as possible insider abuse.
- A few analysts will be using the tool simultaneously most of the time.
So, here is a mental exercise for you:
- How would you architect it?
- Where would you place the collectors? How many?
- How would you plan storage – single or distributed?
- Where the main correlation system (or systems) will be deployed?
- How will the system deal with outages in collection and maybe even storage?
- How will its performance be tracked over time?
- How will it scale with increasing volumes (logs tend to grow)?
- What OTHER information will you need to architect it?
By the way, if you tell me that one appliance will handle the entire environment and no other software/hardware will be needed, a filter will be implemented to send further communication to /dev/null