Robot in the Family

SIEM (Security Information and Event Management)

What is SIEM?

Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system.

§  A SIEM system collects logs and other security-related documentation for analysis. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment -- and even specialized security equipment like firewalls, antivirus or intrusion prevention systems.

Why is SIEM Necessary?

Ø  Rise in data breaches due to internal and external threats.

Ø  Attackers are smart and traditional security tools just are not enough.

Ø  Mitigate sophisticated cyber-attacks.

Ø  Manages large volumes of logs from multiple sources.

Ø  Meets exact compliance requirements

Why do organizations use it?

Threat Management:

The ability to detect risky scenarios and common attacks, as well as attack paths defined by the organization itself.

Compliancy:

                Joining the logs and reports of multiple systems within the organization, enabling an easy access and analysis by a built-in framework in each system.

Forensic Support:

Ø  The information available within SIEM is very valuable from a forensic perspective and can greatly aid a forensic analyst in his or her investigation.

Ø  SIEM allows forensic analysts to search within logs of many systems in a centralized way, without the need of re-collecting the log files of compromised systems.

Protection (What and How):

Implementation of SIEM:

Requirements:

  Ø  All Unix systems need a centralized logging system to be developed for the SIEM. Databases require a great many configuration steps

  Ø  Each web server needs a new process installed to monitor the web logs. Taking logs from cloud resources on AWS involves another complex series of configuration procedure.

  Ø  SIEM requires highly skilled IT personnel resources.

  Ø  Patching, hardware refreshes and overall change management have to be coordinated with SIEM

Use Cases:

SIEM Tools:

•       Hewlett Packard Enterprise (HPE) ArcSight

•       Splunk Enterprise Security (ES)

•       IBM Security QRadar

•       AlienVault Unified Security Management (USM)

•       LogRhythm SIEM

•       McAfee Enterprise Security Manager (ESM)

•       Micro Focus Sentinel Enterprise

•       SolarWinds Log & Event Manager

•       Trustwave SIEM Enterprise and Log Management Enterprise

•       RSA NetWitness Suite

"It takes time and effort to get things set up, and this is going to be a manpower initiative proportional to the complexity of organization"