SIEM
SIEM stands for Security Information and Event Management which refers to a set of tools and services that aids security professionals with getting a helicopter view of an organizations’ information security. SIEM facilitates two aspects of security:
- Collection of data from multiple log files, analysis and report supplication on security threats and events – Security Information Management (SIM)
- Real time system monitoring, threat monitoring, event correlation and incident response – Security Event Management (SEM)
SIEM tools which play an important
role in an organizations’ information security eco system, collects security
data from organizations’ security infrastructure, host systems, applications,
network and security devices such as firewalls and antivirus filters.
SIEM Work Break Down
The processes carried out by the SIEM software can be observed in following steps:
- Collection of data from various sources
Security data from sources of network security information such as servers, operating systems, firewalls, antivirus software and domain controllers are collected by SIEM. These are gained by either configuring systems to feed even data into a SIEM tool or by deployment of agents.
- Policies
SIEM
administrator creates a profile defining the behaviors of the enterprise system
under both normal and security incident instances. SIEMs provide default rules,
alerts, reports, and dashboards that can be tuned and customized to fit
specific security needs.
- Normalize and aggregate collected data / Data analysis and correlation
SIEM solutions
consolidate, parse and analyze log files. Events are then categorized based on
the raw data and apply correlation rules that combine individual data events
into meaningful security issues.
- Notifications
As the final
step security breaches are pinpointed and organization is enabled to investigate
alerts, if an event or set of events triggers a SIEM rule.
Security Information and Event Management Capabilities
Three critical SIEM capabilities
are identified by Gartner which goes as follows:
- Threat detection
- Investigation
- Time to respond
- Basic security monitoring
- Advanced threat detection
- Forensics & incident response
- Log collection
- Normalization
- Notifications and alerts
- Security incident detection
- Threat response workflow
Apart from the above, SIEM tools can
help organizations to become PCI DSS Compliant (Payment Card Industry Data
Security Standard) which is a set of security standards an organization should
comply to in order to ensure secure credit and debit card transactions against
data theft and fraud. The PCI DSS requirements which are supported by SIEM are;
- Unauthorized network connection detection
- Searching for insecure protocols
- Inspect traffic flows across DMZ
SIEM Tools
Splunk
IBM QRadar
IBM QRadar, also rated as a Leader in the Gartner 2020 Magic Quadrant for SIEM, is deployable as a hardware appliance, a virtual appliance, or a software appliance. The SIEM collects log data from sources in an enterprise’s information system, including network devices, operating systems, applications and user activities. This SIEM analyzes log data in real-time, enabling users to quickly identify and stop attacks. QRadar can also collect log events and network flow data from cloud-based applications. This SIEM also supports threat intelligence feeds.
LogRhythm
References
- https://www.csoonline.com/article/2124604/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html
- https://www.imperva.com/learn/application-security/siem/#:~:text=Security%20Information%20and%20Event%20Management%20(SIEM)%20is%20a%20set%20of,an%20organization's%20information%20security%20systems.&text=Automatic%20security%20event%20notifications
- https://www.varonis.com/blog/what-is-siem/
- https://www.imperva.com/learn/data-security/pci-dss-certification/
- https://www.securonix.com/resources/2020-gartner-magic-quadrant-for-siem/?utm_source=google_ads&utm_medium=cpc&utm_campaign=gartner_mq_2020&gclid=CjwKCAiAnvj9BRA4EiwAuUMDf1AGnBkXyVk9wUPQ_3Akp0y0M4GqaUDsNlfw28im-MkxXXSnrXWAoxoCngEQAvD_BwE
- https://www.ibm.com/uk-en/campaign/magic-quadrant-security
Comprehensive writing, Pramodi. Learnt a lot of new things.
ReplyDeleteThank you so much!
DeleteGood article Pramodi.
ReplyDeleteIf SIEM provides a helicopter view of an organizations’ information security then why do we need to use other tools like FIM?
FIM is a security control which monitors and records changes to the file system and other critical applications such as OS Prabod. FIM detects unauthorized modifications and determines if those have been tempered with or corrupted. It is a type of change auditing where it compares the files' latest versions with a known, trusted baseline. If the files have been altered, updated or compromised FIM generates alerts to enforce necessary investigations.
DeleteOn the contrary, SIEM is a security technology utilized for security incident response and threat detection via a real-time acquisition and historical analysis of security events from a wide spectrum of contextual data sources. This enables security professionals with a wider coverage of security aspects. And of course Prabod, in my opinion, FIM can be integrated with SIEM tools to achieve better grounds in cybersecurity. The use of both the FIM and SIEM would grant an organization with better cybersecurity posture.
Hope that clarifies your concern.
This comment has been removed by the author.
ReplyDeleteVery informative Pramodi. Can you please explain the technologies behind these SIEM tools?
ReplyDeleteHi Dulanga. As I see it, SIEM itself is a technology. SIEM server is a log management platform at it's root. This involves data collecting, and managing in order to enable analysis. For data collection, underlying technologies used can be agent based, direct network protocol or API or may be Via an event streaming protocol like SNMP, Netflow or IPFIX. For data storage, on premise or cloud storage could have been used. This can be optimized with indexing. The next generation SIEMs are increasingly based on modern data lake technology such as Amazon S3, Hadoop or ElasticSearch, enabling practically unlimited data storage at low cost. In retention of large logs, Syslog servers are integrated with deletion schedules, log filtering and summarization. Further for better analysis apart from compliance and forensics conducted using historic logs, technologies like UEBA technology which uses machine learning and behavioral profiling to intelligently identify anomalies or trends can be integrated.
DeleteI hope this provides you with a satisfiable clarification.
Nicely written and very informative pramodi. Keep up the good work.
ReplyDeleteThank you so much.
DeleteNice article pramodi. Just to clarify. In order to collect credit card details is it mandatory to organization to be PCI DSS compliant?
ReplyDeleteYes Kawee. All business that store, process or transmit payment cardholder data must be PCI Compliant
DeleteGood one Pramodi! But I just wondering what are the limitations of these SIEM applications as a complete security solution?
ReplyDeleteYes Ruvishka. Definitely deploying a SIEM does not mean that an organization is completely secured. There are limitations of SIEM like misconfiguration, where changes to the secure configuration happen either accidentally or by oversight and it might lead to vulnerabilities or undesirable features. Further SIEM can be time consuming and costly. SIEM solutions usually rely on rules to parse all logged data, so that there can be false positives. These kinds of limitations goes hand in hand with SIEM. To get a broader insight refer the following link: https://www.hitachi-systems-security.com/blog/siem-benefits-and-limitations/
Delete