Much Ado About Correlation

Mike Rothman at Securosis posted Network Security Fundamentals: Correlation yesterday and did a good job explaining some common issues SIEM and "Correlation". If you're in the market for SIEM you should read it and not just because it refers to some of my previous blogs :) (SIEM 101 and SIEM 201) but because is very accurate. You have to do the real work PRIOR to deploying the SIEM. It's all in the requirements. If you can't define how you will use the output of the SIEM - stick with Log Management until your organization can mature into using SIEM properly.

I really enjoyed Adrian's follow up Post Where he describes in detail why SIEM is not the end-all be-all of Security Monitoring. It's a good tool designed to do the best it can with what it is given. Simply put there is only so much you can do with crappy logs. Additional context is always required. For more on my thoughts about what works for Security Monitoring see Security Operations: Collection Post.