Security Incident and Event Management (SIEM) Overview
Starting from the top of a cybersecurity organization, a Security Operations Center (SOC) is in charge of proactively keeping company assets safe, such data stored on a company's network. One such tool for the SOC to do their job is to use a Security Incident and Event Management (SIEM) tool. SIEM collects data from a 1) wide variety of sources in 2) wide variety of formats - to enable a real time view and broad analysis of past data. SIEM is more about collecting, indexing, tagging, contextual mining than it is about security per se. That is why Splunk (a logging collection and analytics platform) is a leader in the Gartner SIEM MQ.
Sources of data to SIEM:
- Endpoint (EP) Security : As the agent that protects laptops, tablets, and phones an the edge of enterprise control, the End Point Agents needs to Prevent Threat, Protect Data, Secure the Network, Ensure Compliance, Respond to Incidences.
- Firewall (FW) Security : A firewall acts as a barrier between a internal network and external networks, by controlling incoming and outgoing traffic based on predetermined security rules. Packet filtering, stateful packet inspection are some of the techniques used.
- Intrusion Detection System (IDS) & Intrusion Prevention System (IPS) : An IDS monitors network traffic for suspicious activity and potential threats, alerting administrators when such activities are detected. An IPS takes IDS a step further and ACTS to prevent or mitigate further damage.
Types of data sent or accessible to SIEM:
- events : a simple record of what happened in the network - can be just a time stamp, source identifiers, and a code
- messages : a bigger, verbose record of what happened in the network - usually containing contextual information to help with forensic investigation
- logs : a record of systems happenings, such as events and messages
Types of actions from SIEM:
- alert
- analysis
- reporting : start with alerts, and after an analsis
No comments :
Post a Comment