Notes

  • SIEM - Security information and event management.
  • A security solution that helps organizations detect threats and vulnerabilities well before.
  • Key activity in Security Operation Centers (SOCs).
  • Uses greater power of AI and machine learning.
  • Useful to respond complaince and audit questions.
  • Good guy’s (SOC team’s) secret weapon.

SIEM Inputs

  • Logs
  • Threat intel
  • Vulnerability feeds
  • Network detection and response (NDR) tools
  • Endpoint

SIEM Prcoessor

  • Artificial Inteligence (AI)
  • Machine Learning (ML)
  • Analytics

SIEM output

  • High fidelity alerts
  • Actionalble alerts

Benefits

  • Real-time threat recognition - strengthen security posture
  • Helps to meet compliance reporting standards.
  • Ability to adopt AI and use powerful Security Orchestration, Automation and Response (SOAR) capabilities.
  • Essential dirver of improving interdepartmental efficiencies.
  • Conducting Forensic Investigations
  • Centralized viibility

Key Capabilities

Gartner evaluates SIEM tools base on these three capabilities.

  • threat detection
  • investigation
  • time to respond

Some tools, components and vendors (Not ordered with any context)

  • Splunk
  • IBM QRadar
  • LogRhythm
  • AlienVault
  • OpenSearch
  • ELK Stack (Elastic Search, Logstash and Kibana)
  • OSSEC - Open source Host Intrusion Detection Systems.
  • SNORT - packet sniffer that will sniff security threats to networks.
  • Apache Metron

SIEM Process

  1. Collect data from various sources
  2. Normalize and aggregate collected data
  3. Analyze the data to discover and detect threats
  4. Pinpoint security breaches and enable organizatiosn to investigate alerts

Challenges

  • Unstructured data.
  • Frustration of chasing false alarms.
  • Lack of clarity and context on the log events.

Best practice for implementing

  • Define the scope.
  • Document the insights the solution going to give in terms of questions.
  • Deploy the incident respondors.
  • Make use of application portfolio - digital assets.
  • Apply automation as soon as possible.
  • Integrate with process and/or ITSM tools.

References:

  1. https://www.ibm.com/topics/siem
  2. https://en.wikipedia.org/wiki/Security_information_and_event_management
  3. https://www.servicenow.com/products/security-operations/what-is-siem.html