Four Steps

TO SUPERCHARGE YOUR SIEM

It’s Time to Getting the most from your SIEM takes more
than mastering a new dashboard. Like a race

Adjust Expections, car, a SIEM is a high-performance device that

can’t run itself.

Set New Goals You need a management strategy that focuses

on winning outcomes. Here are four things you
can do to get your SIEM on the fast track..
Reduce Noisy RESOURCE LINKS: Dark Reading, 3 Steps To Keep Down Security’s False-Positive Workload; InfoSec Nirvana,
What and How Much to Collect; High Log Volume – What to Filter and What to Keep?; Anton Chuvakin/Gartner
Blog Network, On “Output-driven” SIEM

Traffic
When you first deployed, you
probably connected everything
possible to your SIEM. Now you
have an avalanche of data that’s
so overwhelming, you may not
notice a sneaky threat buried in
the ocean of noise.
Focus on the data that actually
matters. Removing devices sounds
counterintuitive, but when sources
deliver data logs that never produce
actionable results, your analysts are
simply chasing their tails.
TIP 1: Plan a small project to test for
sources of time-wasting red flags.
If they’re not evenly distributed,
isolate the sources and reduce their
volume or turn them off.
 RESOURCE LINKS: SANS Institute, Automation in the Incident Response Process: Creating an Effective Long-Term Plan;
Ninth Log Management Survey Report, page 18; Mayo Clinic Security Team/RSA Conference, Modern Approach to
Incident Response: Automated Response Architecture

Automate Your SIEM creates alerts for things

in your system you never could see

Repetitive before—that’s the point of SIEM.

But if your threat team is manually
Tasks resolving every alert, the same
way, over and over, you need to
automate with intelligent scripts.
When repetitive sequences are
handled with scripts, your threat
analysts are freed up for more high-
value tasks.
TIP: Automate scripted responses
for repetitive alerts such as:
• Block a URL
• Put on a watch list
• Initiate a work ticket to clean or
restart machine
• Others as you identify them
Watch for
Warnings
RESOURCE LINKS: Anton Chuvakin/Gartner Blog
Network, How to Use Threat Intelligence with Your SIEM;
Dark Reading, 3 Steps to Keep Down…False-Positive
Workload; SANS Institute, Who’s Using Cyberthreat
Intelligence and How?
The yellow caution flag indicating an accident on the track is just as
important as any red light on your dashboard. Ignoring external warnings
can be dangerous.
Attempting to identify malicious behavior without correlating network activity
to known threat indicators can be just as dangerous. Integrating threat
intelligence feeds may be the easiest way to improve your SIEM’s productivity.
When you can associate inbound and outbound activity with a known
malicious location, you’re able to quickly curtail or stop an attack or breach.
Why would you ignore known threat intelligence? According to a February,
2015, SANS survey, over two-thirds of respondents do not integrate
cyberthreat intelligence into their SIEM for detection and response.
If you are like most of those surveyed, seriously consider
changing this soon.
…and Up Your General feeds, provided by system manufacturers, and open-
source feeds are a basic start, but they aren’t nearly enough.

Octane You need to expand the number of threat indicators you are
including while reducing false alarms and useless chatter
generated in your system.
To do that, you need high-quality, vetted data feeds from
a trusted source. Infoblox uses proven automated systems,
with human review, to refine its threat indicator feeds before
they hit your SIEM, allowing you to focus on observed and
verified threats.

RESOURCE LINKS: Carnegie Melon University, Full Study on Blacklists;

Presentation at MAAWG; Infoblox
Take It Up Your SIEM deployment started with identifying three to five of your
biggest security problems. Defining these use cases took time, and may

a Notch have not been the most enjoyable step in deployment.

But now that you’ve been through a few cycles, it’s time to review your
(or Three) scenarios. Are you effectively dealing with your top problems? What
about the lower priority use cases you chose not to address in the first
go-round? Are they still causing trouble? Should they be included now?
This is a good time to review and update your original use cases. If you’re
meeting your goals, bravo. If not, regroup and take another run at getting
these important problems solved.

RESOURCE LINKS: INFOSEC Institute, Top 6 SIEM Use Cases; SIEM Use Cases for PCI DSS 3.0; Anton Chuvakin/ Gartner
Blog Network, Popular SIEM Starter Use Cases; InfoSec Nirvana, SIEM Use Cases – What You Need To Know; Tom
Chmielarski/RSA, The Importance of Developing Detection Use Cases
Find Your Get the most out of your high performance machine. When it comes to
winning your daily cybersecurity race, your SIEM was designed to get

Drive you around the track fast. Use these best practices to stay out of the
gravel traps, smoothly navigate the chicanes, and accelerate down the
straightaway.
It’s remarkable what you can accomplish with the right combination of
machine, fuel, and driving.
Optimize Your Our threat indicator feeds are refined to give your SIEM the best
performance. Infoblox’s proprietary systems validate and verify

SIEM with indicators against known malicious activities and devious players.
Our Threat Intelligence team reviews, rates, and categorizes

Infoblox Threat anomalous threat indicators before data is injected into the feed.
The resulting data is so highly refined, our false positive rate is less
Indicator Feeds than 0.0001. Our verified, observed threat indicators provide
accurate, actionable data that adds firepower, speed, and pinpoint
reliability to your security.
 Let Infoblox Help You
Supercharge Your SIEM
To learn more about Infoblox ActiveTrust, visit our website
at https://www.infoblox.com/products/activetrust/.

About Infoblox
Infoblox (NYSE:BLOX), headquartered in Santa Clara, California, delivers critical network services that protect Domain Name System (DNS) infrastructure,
automate cloud deployments, and increase the reliability of enterprise and service provider networks around the world. As the industry leader in DNS, DHCP, and
IP address management, the category known as DDI, Infoblox (www.infoblox.com) reduces the risk and complexity of networking.
Corporate Headquarters: +1.408.986.4000 1.866.463.6256 (toll-free, U.S. and Canada) info@infoblox.com www.infoblox.com

© 2016 Infoblox Inc. All rights reserved. Infoblox-EB-0202-00 1609