SlideShare a Scribd company logo

SIEM for Beginners

BAKOTECH
BAKOTECH

SIEM (Correlate and analyze security event data from across your network; Log Management; Event Correlation; Incident Response; Reporting and Alarms).

Business
1 of 18
Download to read offline
Everything You Wanted to Know About Log Management But were Afraid to Ask SIEM FOR BEGINNERS www.alienvault.com
Although the industry has settled on the term ‘SIEM’ as the catch-all term for this type of security software, it evolved from several different (but complementary) technologies that came before it. • LMS “Log Management System” – a system that collects and stores log files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually. • SLM /SEM “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others. • SIM “Security Information Management” – an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved. • SEC “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen. • SIEM “Security Information and Event Management” – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We’ll use the term SIEM for the rest of this presentation. A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM
The information you need to answer “Who’s attacking us today?” and “How did they get access to all our corporate secrets?” We may think of Security Controls as containing all the information we need to be secure, but often they only contain the things they have detected – there is no ‘before and after the event’ context within them. This context is usually vital to separate the false positive from true detection, the actual attack from a merely misconfigured system. Successful attacks on computer systems rarely look like real attacks except in hindsight – if this were not the case, we could automate ALL security defenses without ever needing to employ human analysts. Attackers will try to remove and falsify log entries to cover their tracks – having a source of log information that can be trusted is vital to any legal proceeding from computer misuse. What’s in the Logs? What’s In the Logs?!!Q: A:
SIEM is about looking at what’s happening on your network through a larger lens than can be provided via any one security control or information source. None of these by themselves, can tell you what is happening to your business in terms of securing the continuity of your business processes… But together, they can. • Your Intrusion Detection only understands Packets, Protocols & IP Addresses • Your Endpoint Security sees files, usernames & hosts • Your Service Logs show user logins, service activity & configuration changes. • Your Asset Management system sees apps, business processes & owners The Blind Men and the Security Information Elephant
SIEM is essentially nothing more than a management layer above your existing systems and security controls. It connects and unifies the information contained in your existing systems, allowing them to be analyzed and cross-referenced from a single interface. SIEM is a perfect example of the ‘Garbage In, Garbage Out’ principle of computing: SIEM is only as useful as the information you put into it. The more valid information depicting your network, systems, and behavior the SIEM has, the more effective it will be in helping you make effective detections, analyses, and responses in your security operations. SIEM A Single View of Your IT Security
Bob’s Machine was compromised by asbss.exe which originated from a malicious website, this malware then used Bob’s account to try and infect DAVEPC3, but antivirus caught it. Bob’s machine “BOBPC1” is likely still compromised, however. We should block the malicious domain and sanitize Bob’s workspace, ASAP External Website 4.4.4.4 DMZ Firewall 10.90.0.1 Web Proxy 10.90.0.50 BOBPC1 10.100.23.53 DAVEPC3 10.10123.18 Domain Controller DHCP Server Antivirus Controller Router A A B C D D E E F F B C Connection to TCP port 80 - src:10.90.0.50 dst: 4.4.4.4 state: ACCEPTED HTTP Client GET - http://somebadwebsite.org/878732/asbss.exe %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 10.100.23.53(38231) > 10.90.0.50(3129), 1 packet Lease for 10.100.23.53 Assigned to BOBPC1 - MAC:AE:00:AE:10:F8:D6 Authentication Package: Microsoft_Authentication_Package_V1_0 Logon Account: BRoberts Source Workstation: BOBPC1 Error Code: 0x00000064 Client: DAVEPC3 - Successfully Removed - C:WindowsTempasbss.dll - Reason: Win32/RatProxyDLL18 105
• Log Collection is the heart and soul of a SIEM – the more log sources that send logs to the SIEM, the more that can be accomplished with the SIEM. • Logs on their own rarely contain the information needed to understand their contents within the context of your business. • Security Analysts have limited bandwidth to be familiar with every last system that your IT operation depends on. • With only the logs, all an analyst sees is “Connection from Host A to Host B” • Yet, to the administrator of that system, this becomes “Daily Activity Transfer from Point of Sales to Accounts Receivable”. • The Analyst needs this information to make reasoned assessment of any security alert involving this connection. • True value of logs is in correlation to get actionable information. Half a Pound of Logs, A Cup of Asset Records….
Security Controls • Intrusion Detection • Endpoint Security (Antivirus, etc) • Data Loss Prevention • VPN Concentrators • Web Filters • Honeypots • Firewalls Infrastructure • Routers • Switches • Domain Controllers • Wireless Access Points • Application Servers • Databases • Intranet Applications Infrastructure Information • Configuration • Locations • Owners • Network Maps • Vulnerability Reports • Software Inventory Business Information • Business Process Mappings • Points of Contact • Partner Information LOGS AND ALERTS: KNOWLEDGE: SIEM Recipes - A list of ingredients you’ll need for a good SIEM Deployment
Business Locations Network MapsBusiness Units Configuration and Asset Information System Logs and Security Controls Alerts Software Inventory Software Inventory 10.100.20.0.18 10.88.6.12 10.100.20.0/24 10.88.5.0/16 Pennsylvania Boston Business Processes Accounts Receivable Accounting IT USSaleSyncAcct 10.100.20.18 Initiated Database Copy using credentials USSalesSyncAcct to remote Host 10.88.6.12 - Status Code 0x44F8 How a Log File is Generated in Your Network SIEM
Behold: The Power of Correlation Correlation is the process of matching events from systems (hosts, network devices, security controls, anything that sends logs to the SIEM.) Events from different sources can be combined and compared against each other to identify patterns of behavior invisible to individual devices… They can also be matched against the information specific to your business. Correlation allows you to automate detection for the things that should not occur on your network.
The beauty of log correlation “14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22” An Account belonging to Marketing connected to an Engineering System from an office desktop, on a day when nobody should be in the office” Log Correlation is the difference between: and...
Your network generates vast amounts of log data – a Fortune 500 enterprise’s infrastructure can generate 10 terabytes of plain-text log data per month, without breaking a sweat. You can’t hire enough people to read every line of those logs looking for bad stuff. I’m serious, don’t even try this. Even if you succeeded, they’d be so bored they’d never actually spot anything even if it was right in front of their face.. Which it would be. Log Correlation lets you locate the interesting places in your logs – that’s where the analysts start investigating… And they’re going to find pieces of information that lead to other pieces of information as the trail of evidence warms up. Being able to search through the rest of those logs for that one thing they suspect resides there is one of the other key functions of a SIEM. It’s a good thing that a SIEM is fundamentally a… Slow Cook for 8 Hours Serve to Hungry Analysts…
…Giant Database of Logs. It would be amazingly useful if every operating system and every application in the world, recorded their log events in the same format – they don’t. Most logs are written to be readable by humans, not computers. That makes using regular search tools over logs from different sources… a little difficult. These two logs say the same thing to a human being, but are very different from the machine’s point of view. “User Broberts Successfully Authenticated to 10.100.52.105 from client 10.10.8.22” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” Long story short – we’re going to need to break down every known log message out there, into a normalized format. “User [USERNAME] [STATUS] Authenticated to [DESTIP] from client [SOURCEIP]” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” So when you see a SIEM Product that talks about “how many devices it supports” – it’s talking about how many devices it can parse the logs from.
Breaking those log entries down into their components – normalizing them, is what allows us to search across logs from multiple devices and correlate events between them. Once we’ve normalized logs into a database table, we can do database style searches, such as: This is what allows us to do automated correlation as well, matching fields between log events, across time periods, across device types. Just as with any database, event normalization allows the creation of report summarizations of our log information Show [All Logs] From [All Devices] from the [last two weeks], where the [username] is [Broberts] If A single Host fails to log in to three separate servers using the same credentials, within a 6-second time window, raise an alert What User Accounts have accessed the highest number of distinct hosts in the last month? What Subnet generate the highest number of failed login attempts per day, averaged out over 6 months?” Searches, Pivoting, and Cross-Correlation
But Wait, There’s More! • So you’ve now seen that SIEM is a recording device for the systems that form your information infrastructure. • SIEM allows you to give analysts access to information from these systems, without giving them access to the systems themselves. • Event Correlation allows you to encode security knowledge into automated searches across events and asset information to alert on things happening within your infrastructure, and create a starting point for human analysis into a sea of log data. • But to keep up with today’s threat landscape, you need more that just SIEM – you need relevant data, a unified approach and integrated threat intelligence to truly get a holistic view of your security posture.
AlienVault® USM™ Brings it all together ASSET DISCOVERY & INVENTORY Find all assets on your network before a bad actor does with active and passive network discovery. SIEM & LOG MANAGEMENT Quickly correlate & analyze security event data from across your network with built-in SIEM & log management INTRUSION DETECTION Detect & respond to threats faster with our built-in network IDS, host- based IDS & file integrity monitoring VULNERABILITY ASSESSMENT Identify systems that are vulnerable to exploits with active network scanning & continuous vulnerability monitoring BEHAVIORAL MONITORING Instantly spot suspicious behavior with NetFlow analysis, service monitoring & full packet capture. powered by AV Labs Threat Intelligence
Trouble Ticketing Asset Discovery Log Management Event Management Event Correlation Reporting Features: AlienVault USM Traditional SIEM Built-in $$ (3rd-party product that requires integration) Security Monitoring Technologies Network IDS Host IDS Netflow Full Packet Capture File Integrity Monitoring Vulnerability Assessment Additional Capabilities: Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Continuous Threat Intelligence Built-in Not available Unified Management Console for security monitoring technologies Built-in Not available Management
Next Steps: Play, share, enjoy! www.alienvault.com • Watch our 3-minute overview video • Play in our product sandbox • Start detecting threats today with a free trial • Go Beyond SIEM with Unified Security Management • Join the Open Threat Exchange Try it Free BAKOTECH Group is an official distributor of AlienVault in the Baltic States, Ukraine, Kazakhstan, the Eastern Europe and the CIS countries. If you have any questions about AlienVault, please, write us at alienvault@bakotech.com

Recommended

Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecDr. Maceo D. Wattley
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Corporation
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09pladott11
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
johndyson1
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 

Recommended

Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecDr. Maceo D. Wattley
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Corporation
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09pladott11
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
johndyson1
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
rver21
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
Engineering Research Publication
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Corporation
 
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIOCISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
Happy Sad
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business valueEnterprise Technology Management (ETM)
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluationasundaram1
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
Chapter247 Infotech
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior Recorder
BMST
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.com
amaranthbeg55
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the Endpoint
BeyondTrust
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
PrescottLunt384
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327
vimal Kumar Gupta
 
presentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMpresentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMvictor bueno
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 

More Related Content

What's hot

LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
rver21
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
Engineering Research Publication
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Corporation
 
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIOCISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
Happy Sad
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluationasundaram1
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
Chapter247 Infotech
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior Recorder
BMST
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.com
amaranthbeg55
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the Endpoint
BeyondTrust
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
PrescottLunt384
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327
vimal Kumar Gupta
 
presentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMpresentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMvictor bueno
 

What's hot (20)

LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
 
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIOCISCO SECURITY INTELLIGENCE OPERATIONS SIO
CISCO SECURITY INTELLIGENCE OPERATIONS SIO
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior Recorder
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.com
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the Endpoint
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327
 
presentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMpresentacion Demo McAfee SIEM
presentacion Demo McAfee SIEM
 

Similar to SIEM for Beginners

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3
Mustafa Kuğu
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
Anton Chuvakin
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
neoalt
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
University of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxUniversity of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docx
DustiBuckner14
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An Enterprise
Jim Porell
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
Sandip Juthani
 
School of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxSchool of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docx
jeffsrosalyn
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
Siem tools-monitor-your-network
Siem tools-monitor-your-networkSiem tools-monitor-your-network
Siem tools-monitor-your-network
hardik soni
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
karthikvcyber
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product BrochureTodd Helfrich
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
 

Similar to SIEM for Beginners (20)

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Ch11
Ch11Ch11
Ch11
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
University of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docxUniversity of the CumberlandsSchool of Computer & Information .docx
University of the CumberlandsSchool of Computer & Information .docx
 
System Z Mainframe Security For An Enterprise
System Z Mainframe Security For An EnterpriseSystem Z Mainframe Security For An Enterprise
System Z Mainframe Security For An Enterprise
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
School of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docxSchool of Computer & Information SciencesISOL-536 - Se.docx
School of Computer & Information SciencesISOL-536 - Se.docx
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Siem tools-monitor-your-network
Siem tools-monitor-your-networkSiem tools-monitor-your-network
Siem tools-monitor-your-network
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product Brochure
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 

More from BAKOTECH

SOAR
SOARSOAR
SOAR
BAKOTECH
 
Upd pci compliance
Upd pci compliance Upd pci compliance
Upd pci compliance
BAKOTECH
 
Threat Detection & Response
Threat Detection & ResponseThreat Detection & Response
Threat Detection & Response
BAKOTECH
 
WatchGuard SD-WAN
WatchGuard SD-WAN WatchGuard SD-WAN
WatchGuard SD-WAN
BAKOTECH
 
WatchGuard WIPS
WatchGuard WIPSWatchGuard WIPS
WatchGuard WIPS
BAKOTECH
 
WatchGuard Authpoint
WatchGuard Authpoint WatchGuard Authpoint
WatchGuard Authpoint
BAKOTECH
 
McAfee Labs Threats Report, August 2019
McAfee Labs Threats Report, August 2019 McAfee Labs Threats Report, August 2019
McAfee Labs Threats Report, August 2019
BAKOTECH
 
F5 labs 2018. Отчет по защите веб-приложений
F5 labs 2018. Отчет по защите веб-приложенийF5 labs 2018. Отчет по защите веб-приложений
F5 labs 2018. Отчет по защите веб-приложений
BAKOTECH
 
Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270
BAKOTECH
 
WatchGuard Internet Security Report
WatchGuard Internet Security ReportWatchGuard Internet Security Report
WatchGuard Internet Security Report
BAKOTECH
 
BreakingPoint от Ixia
BreakingPoint от IxiaBreakingPoint от Ixia
BreakingPoint от Ixia
BAKOTECH
 
Cloud Visibility for Dummies от IXIA
Cloud Visibility for Dummies от IXIACloud Visibility for Dummies от IXIA
Cloud Visibility for Dummies от IXIA
BAKOTECH
 
Network Visibility for Dummies
Network Visibility for DummiesNetwork Visibility for Dummies
Network Visibility for Dummies
BAKOTECH
 
SIEM для чайников
SIEM для чайниковSIEM для чайников
SIEM для чайников
BAKOTECH
 
Обеспечение безопасности активов современного бизнеса с помощью криптографии
Обеспечение безопасности активов современного бизнеса с помощью криптографии Обеспечение безопасности активов современного бизнеса с помощью криптографии
Обеспечение безопасности активов современного бизнеса с помощью криптографии
BAKOTECH
 
Надежная защита от утечек информации в условиях современных тенденций ИТ
Надежная защита от утечек информации в условиях современных тенденций ИТНадежная защита от утечек информации в условиях современных тенденций ИТ
Надежная защита от утечек информации в условиях современных тенденций ИТ
BAKOTECH
 
Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...
Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...
Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...
BAKOTECH
 
Внутренняя угроза: выявление и защита с помощью ObserveIT
Внутренняя угроза: выявление и защита с помощью ObserveITВнутренняя угроза: выявление и защита с помощью ObserveIT
Внутренняя угроза: выявление и защита с помощью ObserveIT
BAKOTECH
 
Обзор инструментов Toad для администраторов Oracle
Обзор инструментов Toad для администраторов OracleОбзор инструментов Toad для администраторов Oracle
Обзор инструментов Toad для администраторов Oracle
BAKOTECH
 
Toad for Oracle для разработчиков – обзор, советы и скрытые возможности
Toad for Oracle для разработчиков – обзор, советы и скрытые возможностиToad for Oracle для разработчиков – обзор, советы и скрытые возможности
Toad for Oracle для разработчиков – обзор, советы и скрытые возможности
BAKOTECH
 

More from BAKOTECH (20)

SOAR
SOARSOAR
SOAR
 
Upd pci compliance
Upd pci compliance Upd pci compliance
Upd pci compliance
 
Threat Detection & Response
Threat Detection & ResponseThreat Detection & Response
Threat Detection & Response
 
WatchGuard SD-WAN
WatchGuard SD-WAN WatchGuard SD-WAN
WatchGuard SD-WAN
 
WatchGuard WIPS
WatchGuard WIPSWatchGuard WIPS
WatchGuard WIPS
 
WatchGuard Authpoint
WatchGuard Authpoint WatchGuard Authpoint
WatchGuard Authpoint
 
McAfee Labs Threats Report, August 2019
McAfee Labs Threats Report, August 2019 McAfee Labs Threats Report, August 2019
McAfee Labs Threats Report, August 2019
 
F5 labs 2018. Отчет по защите веб-приложений
F5 labs 2018. Отчет по защите веб-приложенийF5 labs 2018. Отчет по защите веб-приложений
F5 labs 2018. Отчет по защите веб-приложений
 
Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270
 
WatchGuard Internet Security Report
WatchGuard Internet Security ReportWatchGuard Internet Security Report
WatchGuard Internet Security Report
 
BreakingPoint от Ixia
BreakingPoint от IxiaBreakingPoint от Ixia
BreakingPoint от Ixia
 
Cloud Visibility for Dummies от IXIA
Cloud Visibility for Dummies от IXIACloud Visibility for Dummies от IXIA
Cloud Visibility for Dummies от IXIA
 
Network Visibility for Dummies
Network Visibility for DummiesNetwork Visibility for Dummies
Network Visibility for Dummies
 
SIEM для чайников
SIEM для чайниковSIEM для чайников
SIEM для чайников
 
Обеспечение безопасности активов современного бизнеса с помощью криптографии
Обеспечение безопасности активов современного бизнеса с помощью криптографии Обеспечение безопасности активов современного бизнеса с помощью криптографии
Обеспечение безопасности активов современного бизнеса с помощью криптографии
 
Надежная защита от утечек информации в условиях современных тенденций ИТ
Надежная защита от утечек информации в условиях современных тенденций ИТНадежная защита от утечек информации в условиях современных тенденций ИТ
Надежная защита от утечек информации в условиях современных тенденций ИТ
 
Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...
Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...
Проблематика безопасности баз данных. Выявление уязвимостей, контроль транзак...
 
Внутренняя угроза: выявление и защита с помощью ObserveIT
Внутренняя угроза: выявление и защита с помощью ObserveITВнутренняя угроза: выявление и защита с помощью ObserveIT
Внутренняя угроза: выявление и защита с помощью ObserveIT
 
Обзор инструментов Toad для администраторов Oracle
Обзор инструментов Toad для администраторов OracleОбзор инструментов Toad для администраторов Oracle
Обзор инструментов Toad для администраторов Oracle
 
Toad for Oracle для разработчиков – обзор, советы и скрытые возможности
Toad for Oracle для разработчиков – обзор, советы и скрытые возможностиToad for Oracle для разработчиков – обзор, советы и скрытые возможности
Toad for Oracle для разработчиков – обзор, советы и скрытые возможности
 

Recently uploaded

An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.
Any kyc Account
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
usawebmarket
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Holger Mueller
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
Adam Smith
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
LuanWise
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
Lviv Startup Club
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
SOFTTECHHUB
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Auditing study material for b.com final year students
Auditing study material for b.com final year studentsAuditing study material for b.com final year students
Auditing study material for b.com final year students
narasimhamurthyh4
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
Cynthia Clay
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
Lital Barkan
 
Authentically Social Presented by Corey Perlman
Authentically Social Presented by Corey PerlmanAuthentically Social Presented by Corey Perlman
Authentically Social Presented by Corey Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
bosssp10
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
WilliamRodrigues148
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.docBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
daothibichhang1
 

Recently uploaded (20)

An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.An introduction to the cryptocurrency investment platform Binance Savings.
An introduction to the cryptocurrency investment platform Binance Savings.
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
 
The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...The Influence of Marketing Strategy and Market Competition on Business Perfor...
The Influence of Marketing Strategy and Market Competition on Business Perfor...
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...Kseniya Leshchenko: Shared development support service model as the way to ma...
Kseniya Leshchenko: Shared development support service model as the way to ma...
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Auditing study material for b.com final year students
Auditing study material for b.com final year studentsAuditing study material for b.com final year students
Auditing study material for b.com final year students
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
 
Authentically Social Presented by Corey Perlman
Authentically Social Presented by Corey PerlmanAuthentically Social Presented by Corey Perlman
Authentically Social Presented by Corey Perlman
 
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
Training my puppy and implementation in this story
Training my puppy and implementation in this storyTraining my puppy and implementation in this story
Training my puppy and implementation in this story
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.docBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
 

SIEM for Beginners

  • 1. Everything You Wanted to Know About Log Management But were Afraid to Ask SIEM FOR BEGINNERS www.alienvault.com
  • 2. Although the industry has settled on the term ‘SIEM’ as the catch-all term for this type of security software, it evolved from several different (but complementary) technologies that came before it. • LMS “Log Management System” – a system that collects and stores log files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually. • SLM /SEM “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others. • SIM “Security Information Management” – an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved. • SEC “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen. • SIEM “Security Information and Event Management” – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We’ll use the term SIEM for the rest of this presentation. A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM
  • 3. The information you need to answer “Who’s attacking us today?” and “How did they get access to all our corporate secrets?” We may think of Security Controls as containing all the information we need to be secure, but often they only contain the things they have detected – there is no ‘before and after the event’ context within them. This context is usually vital to separate the false positive from true detection, the actual attack from a merely misconfigured system. Successful attacks on computer systems rarely look like real attacks except in hindsight – if this were not the case, we could automate ALL security defenses without ever needing to employ human analysts. Attackers will try to remove and falsify log entries to cover their tracks – having a source of log information that can be trusted is vital to any legal proceeding from computer misuse. What’s in the Logs? What’s In the Logs?!!Q: A:
  • 4. SIEM is about looking at what’s happening on your network through a larger lens than can be provided via any one security control or information source. None of these by themselves, can tell you what is happening to your business in terms of securing the continuity of your business processes… But together, they can. • Your Intrusion Detection only understands Packets, Protocols & IP Addresses • Your Endpoint Security sees files, usernames & hosts • Your Service Logs show user logins, service activity & configuration changes. • Your Asset Management system sees apps, business processes & owners The Blind Men and the Security Information Elephant
  • 5. SIEM is essentially nothing more than a management layer above your existing systems and security controls. It connects and unifies the information contained in your existing systems, allowing them to be analyzed and cross-referenced from a single interface. SIEM is a perfect example of the ‘Garbage In, Garbage Out’ principle of computing: SIEM is only as useful as the information you put into it. The more valid information depicting your network, systems, and behavior the SIEM has, the more effective it will be in helping you make effective detections, analyses, and responses in your security operations. SIEM A Single View of Your IT Security
  • 6. Bob’s Machine was compromised by asbss.exe which originated from a malicious website, this malware then used Bob’s account to try and infect DAVEPC3, but antivirus caught it. Bob’s machine “BOBPC1” is likely still compromised, however. We should block the malicious domain and sanitize Bob’s workspace, ASAP External Website 4.4.4.4 DMZ Firewall 10.90.0.1 Web Proxy 10.90.0.50 BOBPC1 10.100.23.53 DAVEPC3 10.10123.18 Domain Controller DHCP Server Antivirus Controller Router A A B C D D E E F F B C Connection to TCP port 80 - src:10.90.0.50 dst: 4.4.4.4 state: ACCEPTED HTTP Client GET - http://somebadwebsite.org/878732/asbss.exe %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0-IN permitted tcp 10.100.23.53(38231) > 10.90.0.50(3129), 1 packet Lease for 10.100.23.53 Assigned to BOBPC1 - MAC:AE:00:AE:10:F8:D6 Authentication Package: Microsoft_Authentication_Package_V1_0 Logon Account: BRoberts Source Workstation: BOBPC1 Error Code: 0x00000064 Client: DAVEPC3 - Successfully Removed - C:WindowsTempasbss.dll - Reason: Win32/RatProxyDLL18 105
  • 7. • Log Collection is the heart and soul of a SIEM – the more log sources that send logs to the SIEM, the more that can be accomplished with the SIEM. • Logs on their own rarely contain the information needed to understand their contents within the context of your business. • Security Analysts have limited bandwidth to be familiar with every last system that your IT operation depends on. • With only the logs, all an analyst sees is “Connection from Host A to Host B” • Yet, to the administrator of that system, this becomes “Daily Activity Transfer from Point of Sales to Accounts Receivable”. • The Analyst needs this information to make reasoned assessment of any security alert involving this connection. • True value of logs is in correlation to get actionable information. Half a Pound of Logs, A Cup of Asset Records….
  • 8. Security Controls • Intrusion Detection • Endpoint Security (Antivirus, etc) • Data Loss Prevention • VPN Concentrators • Web Filters • Honeypots • Firewalls Infrastructure • Routers • Switches • Domain Controllers • Wireless Access Points • Application Servers • Databases • Intranet Applications Infrastructure Information • Configuration • Locations • Owners • Network Maps • Vulnerability Reports • Software Inventory Business Information • Business Process Mappings • Points of Contact • Partner Information LOGS AND ALERTS: KNOWLEDGE: SIEM Recipes - A list of ingredients you’ll need for a good SIEM Deployment
  • 9. Business Locations Network MapsBusiness Units Configuration and Asset Information System Logs and Security Controls Alerts Software Inventory Software Inventory 10.100.20.0.18 10.88.6.12 10.100.20.0/24 10.88.5.0/16 Pennsylvania Boston Business Processes Accounts Receivable Accounting IT USSaleSyncAcct 10.100.20.18 Initiated Database Copy using credentials USSalesSyncAcct to remote Host 10.88.6.12 - Status Code 0x44F8 How a Log File is Generated in Your Network SIEM
  • 10. Behold: The Power of Correlation Correlation is the process of matching events from systems (hosts, network devices, security controls, anything that sends logs to the SIEM.) Events from different sources can be combined and compared against each other to identify patterns of behavior invisible to individual devices… They can also be matched against the information specific to your business. Correlation allows you to automate detection for the things that should not occur on your network.
  • 11. The beauty of log correlation “14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22” An Account belonging to Marketing connected to an Engineering System from an office desktop, on a day when nobody should be in the office” Log Correlation is the difference between: and...
  • 12. Your network generates vast amounts of log data – a Fortune 500 enterprise’s infrastructure can generate 10 terabytes of plain-text log data per month, without breaking a sweat. You can’t hire enough people to read every line of those logs looking for bad stuff. I’m serious, don’t even try this. Even if you succeeded, they’d be so bored they’d never actually spot anything even if it was right in front of their face.. Which it would be. Log Correlation lets you locate the interesting places in your logs – that’s where the analysts start investigating… And they’re going to find pieces of information that lead to other pieces of information as the trail of evidence warms up. Being able to search through the rest of those logs for that one thing they suspect resides there is one of the other key functions of a SIEM. It’s a good thing that a SIEM is fundamentally a… Slow Cook for 8 Hours Serve to Hungry Analysts…
  • 13. …Giant Database of Logs. It would be amazingly useful if every operating system and every application in the world, recorded their log events in the same format – they don’t. Most logs are written to be readable by humans, not computers. That makes using regular search tools over logs from different sources… a little difficult. These two logs say the same thing to a human being, but are very different from the machine’s point of view. “User Broberts Successfully Authenticated to 10.100.52.105 from client 10.10.8.22” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” Long story short – we’re going to need to break down every known log message out there, into a normalized format. “User [USERNAME] [STATUS] Authenticated to [DESTIP] from client [SOURCEIP]” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” So when you see a SIEM Product that talks about “how many devices it supports” – it’s talking about how many devices it can parse the logs from.
  • 14. Breaking those log entries down into their components – normalizing them, is what allows us to search across logs from multiple devices and correlate events between them. Once we’ve normalized logs into a database table, we can do database style searches, such as: This is what allows us to do automated correlation as well, matching fields between log events, across time periods, across device types. Just as with any database, event normalization allows the creation of report summarizations of our log information Show [All Logs] From [All Devices] from the [last two weeks], where the [username] is [Broberts] If A single Host fails to log in to three separate servers using the same credentials, within a 6-second time window, raise an alert What User Accounts have accessed the highest number of distinct hosts in the last month? What Subnet generate the highest number of failed login attempts per day, averaged out over 6 months?” Searches, Pivoting, and Cross-Correlation
  • 15. But Wait, There’s More! • So you’ve now seen that SIEM is a recording device for the systems that form your information infrastructure. • SIEM allows you to give analysts access to information from these systems, without giving them access to the systems themselves. • Event Correlation allows you to encode security knowledge into automated searches across events and asset information to alert on things happening within your infrastructure, and create a starting point for human analysis into a sea of log data. • But to keep up with today’s threat landscape, you need more that just SIEM – you need relevant data, a unified approach and integrated threat intelligence to truly get a holistic view of your security posture.
  • 16. AlienVault® USM™ Brings it all together ASSET DISCOVERY & INVENTORY Find all assets on your network before a bad actor does with active and passive network discovery. SIEM & LOG MANAGEMENT Quickly correlate & analyze security event data from across your network with built-in SIEM & log management INTRUSION DETECTION Detect & respond to threats faster with our built-in network IDS, host- based IDS & file integrity monitoring VULNERABILITY ASSESSMENT Identify systems that are vulnerable to exploits with active network scanning & continuous vulnerability monitoring BEHAVIORAL MONITORING Instantly spot suspicious behavior with NetFlow analysis, service monitoring & full packet capture. powered by AV Labs Threat Intelligence
  • 17. Trouble Ticketing Asset Discovery Log Management Event Management Event Correlation Reporting Features: AlienVault USM Traditional SIEM Built-in $$ (3rd-party product that requires integration) Security Monitoring Technologies Network IDS Host IDS Netflow Full Packet Capture File Integrity Monitoring Vulnerability Assessment Additional Capabilities: Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Built-in $$ (3rd-party product that requires integration) Continuous Threat Intelligence Built-in Not available Unified Management Console for security monitoring technologies Built-in Not available Management
  • 18. Next Steps: Play, share, enjoy! www.alienvault.com • Watch our 3-minute overview video • Play in our product sandbox • Start detecting threats today with a free trial • Go Beyond SIEM with Unified Security Management • Join the Open Threat Exchange Try it Free BAKOTECH Group is an official distributor of AlienVault in the Baltic States, Ukraine, Kazakhstan, the Eastern Europe and the CIS countries. If you have any questions about AlienVault, please, write us at alienvault@bakotech.com