search

Security information and event management (SIEM)

hashtag
What is a SIEM?

hashtag
Security Information and Event Management

  • Combination of Security Information Management (SIM) and Security Event Management (SEM)

  • Collect and centralize logs from systems and security solutions

hashtag
Review

hashtag
Data centralization

Integration with data sources

hashtag
Automating data analysis

Event alerting

For some SIEM solutions, threat prevention!

hashtag
Collecting and centralizing data

hashtag
How does a SIEM collect and centralize data?

Integrating your SIEM with data sources allows it to pull system, database, web server, firewall and other types of logs

hashtag
Benefits of collecting data with a SIEM

  • Centralization (as you know)

  • Aggregation

  • Correlation

  • Removal of duplicate events

hashtag
Performing data analysis

hashtag
Manual analysis

  • Simpler due to centralized data

  • Singular format for data/logs

  • Reduced number of events to review

    • Due to aggregation, correlation and removal of duplicated

hashtag
Automated

  • Rules governing analysis

  • Easily scan through vast amounts of data

  • Event-based alerting and threat prevention

hashtag
Commercial SIEM solutions

hashtag
Advantages of using a commercial SIEM

  • Pay-to-use

  • Additional features (over the free version)

  • Dedicated help personnel

  • More-frequent updates/patches

hashtag
Popular commercial SIEM solutions

  • Splunk Enterprise Security (ES)

  • AlienVault Unified Security Management (USM)

  • McAfee Enterprise Security Manager (ESM)

  • IBM Security QRadar

hashtag
Open-Source SIEM solutions

hashtag
Advantages of using an open-source SIEM

  • Free

  • Generally, greater visibility into threat intelligence data

  • Less support

  • But you can often contribute to the tool

hashtag
Popular open-source SIEM solutions

  • AlienVault Open-Source SIEM (OSSIM)

  • ELK/Elastic Stak - Elasticsearch, Logstash and Kibana

  • SIEMonster

hashtag
Securing your SIEM

hashtag
Why should you secure/monitor your SIEM?

SIEM controls all data from logs

If compromised, attacker gains:

  • Sensitive data

  • Extreme visibility of network/security infrastructure

hashtag
How can you secure/monitor your SIEM?

  • System hardening

  • Updates and patches

  • Monitoring the monitor - similar to other sensitive servers

PreviousEndpoint dataNextThreat intelligence platforms

Last updated