Security information and event management (SIEM)
What is a SIEM?
Security Information and Event Management
Combination of Security Information Management (SIM) and Security Event Management (SEM)
Collect and centralize logs from systems and security solutions
Review
Data centralization
Integration with data sources
Automating data analysis
Event alerting
For some SIEM solutions, threat prevention!
Collecting and centralizing data
How does a SIEM collect and centralize data?
Integrating your SIEM with data sources allows it to pull system, database, web server, firewall and other types of logs
Benefits of collecting data with a SIEM
Centralization (as you know)
Aggregation
Correlation
Removal of duplicate events
Performing data analysis
Manual analysis
Simpler due to centralized data
Singular format for data/logs
Reduced number of events to review
Due to aggregation, correlation and removal of duplicated
Automated
Rules governing analysis
Easily scan through vast amounts of data
Event-based alerting and threat prevention
Commercial SIEM solutions
Advantages of using a commercial SIEM
Pay-to-use
Additional features (over the free version)
Dedicated help personnel
More-frequent updates/patches
Popular commercial SIEM solutions
Splunk Enterprise Security (ES)
AlienVault Unified Security Management (USM)
McAfee Enterprise Security Manager (ESM)
IBM Security QRadar
Open-Source SIEM solutions
Advantages of using an open-source SIEM
Free
Generally, greater visibility into threat intelligence data
Less support
But you can often contribute to the tool
Popular open-source SIEM solutions
AlienVault Open-Source SIEM (OSSIM)
ELK/Elastic Stak - Elasticsearch, Logstash and Kibana
SIEMonster
Securing your SIEM
Why should you secure/monitor your SIEM?
SIEM controls all data from logs
If compromised, attacker gains:
Sensitive data
Extreme visibility of network/security infrastructure
How can you secure/monitor your SIEM?
System hardening
Updates and patches
Monitoring the monitor - similar to other sensitive servers
Last updated