Implementation Guide
Executive Summary
The purpose of this document is to provide rollout and implementation guidelines for the successful deployment of the SIEMonster platform, all ancillary configurations and components as well as guidance on the process. Items covered by this document will be the following:
Preparation of the AWS account and services preceding deployment
Deployment of the SIEMonster stack in the AWS environment with the first tenant
Deployment of needed additional tenants
Deploying and configuring on-premises infrastructure including the log aggregator (hydra)
Deployment of agents where needed, applicable, and supported
Syslog, hardware and API based log sources integration for supported logs
Scope deficit documentation, such as missing decoders/rules/integration for specific log sources that may not be available and those that need modification due to log structure changes caused by specific firmware and/or software versions
Optimization for performance and cost
SIEMonster Rollout Plan
Phase 1 – Requirements and Preparation
This phase deals exclusively with the known aspects of the requirements. This includes all syslog sources, end points capable of receiving the agent where relevant and API based integrations such as Azure/Office365. Once the list of sources has been established, priority classification needs to be requested based on the customer business needs and requirements.
The following process will be followed for this phase:
Identification of all log sources
Receiving log samples of identified log sources if possible
Prioritization of all log sources
Defining all endpoints that will receive the agents and the mechanism that will be used to deploy them such as SCCM.
Estimating the initial hardware and service capacity deployment based on available information
Highlighting of anything discovered during a gap analysis of log sources requiring ingestion
Establishing hydra resource and capacity specifications based on estimated log volumes
Determining customer side staff resourcing requirements (site champions) for successful deployments based on the system’s requirements.
Items that do not relate to the end customers but only to the MSSP is training, configuration of access to the support portal. This item is not classified as a milestone as it needs to precede deployment preferably. If not possible to perform this activity before deployment, it is recommended that the training takes place as soon as possible after commencement of the project.
Phase 2 – Preparation and Platform Build
Pre-requisites
The SIEMonster platform requires a few configurations and/or settings to be configured in AWS before deployment can take place. This includes the following items:
Opening of an AWS account with billing instated and active
Activation of AWS license manager
A domain registered and managed through Route53
This may be a delegated subdomain.
WARNING: Caution is advised for very long domains to a 256-character limit of the DNS naming structure in Route53. It is recommended to keep the top-level domain and tenant names as short as possible.
Sufficient quotas for both EC2 instances as well as IP ranges. The IP ranges are more important for MSSP’s that will be hosting multiple tenants, more so if the tenants will have more than one Kubernetes node allocated to process the volume of data. If these quotas are not correctly requested, it will impact system reliability. In the case of available IPs, once the initial allocation is complete, no additional IP’s can be added to Kubernetes. As such all estimated elastic IP’s need to be allocated to the platform from the start.
For more information on the requirements please see the following URL
Deployment (Core System)
Deployment of the SIEMonster stack in AWS has been greatly simplified for ease of deployment, with the entire process taking approximately 45 to 60 minutes for the base cluster and initial tenant. Every additional tenant takes approximately the same amount of time to perform. The deployment consists of a collection of AWS automation and services that are sequentially deployed and services started. The full process for deployment can be found at the following URL
https://docs.siemonster.com/current/aws-ami-quick-start-guide
Deploying an additional tenant is a very simple process that require very few steps to complete. For information on this process please see the following URL
Deployment (Hydra)
The Hydra log aggregator should be deployed on all primary customer sites. It serves multiple purposes including risk mitigation and cloud-based processing costs. It also provides an on-premises access point for agent connections simplifying firewall-based traffic control and provides additional layers of security through its implementation. When the Hydra is deployed it establishes a VPN tunnel to a bastion host that is specific to the tenant the Hydra is intended for.
Full deployment documentation for the Hydra can be found at the following URL.
https://docs.siemonster.com/current/universal-hydra
The above option is for the deployment of a VMWare image in the OVA format. Should alternative methods be needed please reach out to your allocated SIEMonster representative.
Deployment (Agents)
The first step after completing the deployment of the central platform and the Hydra is to deploy agents to all endpoints capable of receiving them from which logs are needed. The agent installations are very straight forward and can be automated by tools such as SCCM to facilitate the deployments. The agents are designed to be compact, lightweight with a minimal footprint on endpoints for resource conservation.
Full steps for deployment of agents can be found at the following URL
https://docs.siemonster.com/current/agent-installation
For operating systems not covered by the documentation, SIEMonster will assist with details on how to deploy the agents.
Deployment (Syslog Configuration)
The next step in deployment is configuring the Hydra to receive syslog traffic. To perform this activity please follow the steps outlined in the following URL
https://docs.siemonster.com/current/configure-the-hydra-syslog-receiver
Deployment (API based log sources)
There are a variety of API based log sources that are supported in the solution such as Office365, MSGraph, Cisco Umbrella etc. These all require Unique and specific configurations to function. These are also configured on the Hydra as needed. As part of the scoping the log sources that fall under this category would have been defined. It is recommended to reach out to the SIEMonster team to enrol these configurations for the client or to provide documentation for the specific log sources that will be ingested by this means.
Phase 3 - Scope Deficit Documentation
Once the preceding steps are completed, it is important to create a scope deficit document that contains all outstanding items related to log ingestion. The scope deficit document will act as a checklist of outstanding work and any needed customization such as
Creating custom decoders and rules for new types of log sources
Creating modified decoders to accommodate regex shifts in log structure due to special, custom or unique firmware on some firewalls and equipment.
Creating custom integrations for unsupported log sources specific to the client needs
🔖 NOTE: The above work items fall under professional services and as such will be covered by agreements concluded with SIEMonster
Phase 4 - Performance and Cost Optimization
As every customer requirement is unique, the final step in a deployment is the performance and cost optimization. These two aspects go hand in hand and include review of allocated cloud-based hardware and services to gauge over or under allocation to choose the most cost-effective options based on the baseline of throughput that is established when the log sources were ingested. Once the hardware review has been concluded and optimized a review AWS based billing needs to be undertaken to facilitate further cost savings with configurations such as long-term reservations which carries a significant discount in AWS.