SIEM
Your Complete IT Security Arsenal
8 Things You Should Know About Choosing an SIEM Solution
Joel Fernandes
Sr. Product Marketing Analyst
SIEM Solutions
ManageEngine
joeljohn.f@manageengine.com
Speaker
Webinar “Housekeeping” Tips
• Use the “question” box in the lower right corner to
submit your questions
• Questions will be answered during the Q&A session
at the end of the webinar
• We will do our best to answer as many questions as
possible in the allotted time
• This webinar is getting recorded and will be shared
to you via email
Agenda
• About ManageEngine
• Log management challenges
• What is SIEM?
• Why is SIEM necessary?
• 2012 Data Breach Analysis
• Typical working of an SIEM solution
• 8 critical things you should know about choosing an SIEM solution
• Business benefits of SIEM solutions
• ManageEngine SIEM product offering – Overview
• Quick Demo - ManageEngine SIEM product offering
• Conclusion
• Q&A
About ManageEngine
– IT Management Software division of Zoho
Corporation
– Established in 2002
– ManageEngine covers the complete gamut of
IT solutions
• 21 Products | 20 Free tools | 2 SAAS
offerings
– Trusted by over 72,000 customers across
200+ countries
– 3 out of every 5 Fortune 500 companies are
ManageEngine customers
Log Management Challenges
• Analyzing Logs for Relevant Security
Intelligence
• Centralizing Log Collection
• Meeting IT Compliance
Requirements
• Conducting Effective Root Cause
Analysis
• Making Log Data More Meaningful
• Tracking Suspicious User Behavior
What is SIEM?
• The term „SIEM‟ was coined by Mark Nicolett
and Amrit Williams (Gartner Analysts) in 2005
• In simple words, SIEM is a combination of
two different types of technologies:
– SIM (Security Information Management) that
focuses on log collection and report generation
– SEM (Security Event Manager) that analyzes
events in real-time using event correlation and
alerting mechanism
• SIEM technology provides network security
intelligence and real-time monitoring for
network devices, systems, and applications
Typical Working of an SIEM Solution
Why is SIEM necessary?
 Rise in data breaches due to internal and external threats
 Attackers are smart and traditional security tools just don‟t suffice
 Mitigate sophisticated cyber-attacks
 Manage increasing volumes of logs from multiple sources
 Meet stringent compliance requirements
Biggest Data Breaches in 2013
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2012 Data Breach Analysis
Source: Verizon 2013 Data Breach Investigations Report
Threat categories over timeVictims
8 Things You Should Know About
Choosing an SIEM Solution
#1. Log Collection
• Universal Log Collection to collect logs from
heterogeneous sources (Windows systems, Unix/Linux
systems, applications, databases, routers, switches, and
other devices)
• Log collection method - agent-based or
agentless
– Both Recommended
• Centralized log collection
• Events Per Second (EPS) – Rate at which
your IT infrastructure sends events.
– If not calculated properly the SIEM solution will start
dropping events before they are stored in the
database leading to incorrect reports, search results,
alerts, and correlation.
#2. User Activity Monitoring
• SIEM solutions should have Out-of-the-box
user activity monitoring, Privileged user
monitoring and audit (PUMA) reporting
feature
• Ensure that the SIEM solution gives the
‘Complete audit trail’
– Know which user performed the action,
what was the result of the action, on
what server it happened, and user
workstation/device from where the
action was triggered.
#3. Real Time Event Correlation
• Real-time event correlation is all about
proactively dealing with threats
• Correlation boosts network security by
processing millions of events simultaneously
to detect anomalous events on the network
• Correlation can be based on log search,
rules and alerts
– Predefined rules and alerts are not
sufficient. Custom rule and alert builder
is a must for every SIEM solution.
– Ensure that the process of correlating
events is easy.
#4. Log Retention
• SIEM solutions should automatically
archive all log data from systems,
devices & applications to a
„centralized’ repository
• Ensure that the SIEM solution has
‘Tamper Proof’ feature which
„encrypts’ and „time stamps’ them
for compliance and forensics
purposes
• Ease of retrieving and analyzing
archived log data
#5. IT Compliance Reports
• IT compliance is the core of every SIEM
solution
• Ensure that the SIEM solution has out-
of-the-box regulatory compliance
reports such as PCI DSS, FISMA,
GLBA, SOX, HIPAA, etc.
• SIEM solutions should also have the
capability to customize and build new
compliance reports to comply with
future regulatory acts
#6. File Integrity Monitoring
• File integrity monitoring helps security
professionals in monitoring business
critical files and folders.
• Ensure that the SIEM solution tracks and
reports on all changes happening such as
when files and folders are created,
accessed, viewed, deleted, modified,
renamed and much more.
• The SIEM solution should also send real-
time alerts when unauthorized users
access critical files and folders
#7. Log Forensics
• SIEM solutions should allow users to
track down a intruder or the event
activity using log search capability
• The log search capability should be very
intuitive and user-friendly, allowing IT
administrators to search through the raw
log data quickly
#8. Dashboards
• Dashboards drive SIEM solutions and
help IT administrators take timely action
and make the right decisions during
network anomalies.
• Security data must be presented in a
very intuitive and user-friendly manner.
• The dashboard must be fully
customizable so that IT administrators
can configure the security information
they wish to see.
8 Critical Things – At a glance
Business Benefits of SIEM Solutions
• Real-time Monitoring
– For operational efficiency
and IT security purposes
• Cost Saving
• Compliance
• Reporting
• Rapid ROI
ManageEngine‟s SIEM Offering
– Easy of deploy
– Cost-effective
– Customizable dashboard
with drag and drop
widgets
– Uses both Agent and
Agentless log collection
mechanism
Universal Log Collection
– Supports heterogeneous
log sources
– Universal log collection
capability helps index any
type of log regardless of
the format and source
– Allows you to index log
data and generate reports
for custom in-
house/proprietary
applications
Real Time Event Correlation and Log Forensics
– Correlation using Search: Correlate
events using log search with Wild-
cards, Phrases and Boolean operators
– Correlation using Alerts: Correlate
events using custom and predefined
alerts to mitigate threats in real-time
– Notifications are send in real-time via
Email and SMS
– Conduct root cause analysis by diving
into raw logs and generate forensic
reports in minutes!
5,000+ customers across 110+ countries
Get your 30 Day Free Trial Now!
www.eventloganalyzer.com
Quick Glance
Conclusion
• A SIEM solution can provide enormous security benefits to the company by
protecting the network with real-time log analysis.
• Most organizations think that SIEM solutions have a steep learning curve
and are expensive, complex, and hard to deploy.
• This claim may be true about many SIEM vendors. However, the right
SIEM solution is one that can be easily deployed, is cost-effective, and
meets all your IT security needs with a single tool.
Q&A

SIEM - Your Complete IT Security Arsenal

  • 1.
    SIEM Your Complete ITSecurity Arsenal 8 Things You Should Know About Choosing an SIEM Solution Joel Fernandes Sr. Product Marketing Analyst SIEM Solutions ManageEngine joeljohn.f@manageengine.com Speaker
  • 2.
    Webinar “Housekeeping” Tips •Use the “question” box in the lower right corner to submit your questions • Questions will be answered during the Q&A session at the end of the webinar • We will do our best to answer as many questions as possible in the allotted time • This webinar is getting recorded and will be shared to you via email
  • 3.
    Agenda • About ManageEngine •Log management challenges • What is SIEM? • Why is SIEM necessary? • 2012 Data Breach Analysis • Typical working of an SIEM solution • 8 critical things you should know about choosing an SIEM solution • Business benefits of SIEM solutions • ManageEngine SIEM product offering – Overview • Quick Demo - ManageEngine SIEM product offering • Conclusion • Q&A
  • 4.
    About ManageEngine – ITManagement Software division of Zoho Corporation – Established in 2002 – ManageEngine covers the complete gamut of IT solutions • 21 Products | 20 Free tools | 2 SAAS offerings – Trusted by over 72,000 customers across 200+ countries – 3 out of every 5 Fortune 500 companies are ManageEngine customers
  • 5.
    Log Management Challenges •Analyzing Logs for Relevant Security Intelligence • Centralizing Log Collection • Meeting IT Compliance Requirements • Conducting Effective Root Cause Analysis • Making Log Data More Meaningful • Tracking Suspicious User Behavior
  • 6.
    What is SIEM? •The term „SIEM‟ was coined by Mark Nicolett and Amrit Williams (Gartner Analysts) in 2005 • In simple words, SIEM is a combination of two different types of technologies: – SIM (Security Information Management) that focuses on log collection and report generation – SEM (Security Event Manager) that analyzes events in real-time using event correlation and alerting mechanism • SIEM technology provides network security intelligence and real-time monitoring for network devices, systems, and applications
  • 7.
    Typical Working ofan SIEM Solution
  • 8.
    Why is SIEMnecessary?  Rise in data breaches due to internal and external threats  Attackers are smart and traditional security tools just don‟t suffice  Mitigate sophisticated cyber-attacks  Manage increasing volumes of logs from multiple sources  Meet stringent compliance requirements Biggest Data Breaches in 2013 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 9.
    2012 Data BreachAnalysis Source: Verizon 2013 Data Breach Investigations Report Threat categories over timeVictims
  • 10.
    8 Things YouShould Know About Choosing an SIEM Solution
  • 11.
    #1. Log Collection •Universal Log Collection to collect logs from heterogeneous sources (Windows systems, Unix/Linux systems, applications, databases, routers, switches, and other devices) • Log collection method - agent-based or agentless – Both Recommended • Centralized log collection • Events Per Second (EPS) – Rate at which your IT infrastructure sends events. – If not calculated properly the SIEM solution will start dropping events before they are stored in the database leading to incorrect reports, search results, alerts, and correlation.
  • 12.
    #2. User ActivityMonitoring • SIEM solutions should have Out-of-the-box user activity monitoring, Privileged user monitoring and audit (PUMA) reporting feature • Ensure that the SIEM solution gives the ‘Complete audit trail’ – Know which user performed the action, what was the result of the action, on what server it happened, and user workstation/device from where the action was triggered.
  • 13.
    #3. Real TimeEvent Correlation • Real-time event correlation is all about proactively dealing with threats • Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the network • Correlation can be based on log search, rules and alerts – Predefined rules and alerts are not sufficient. Custom rule and alert builder is a must for every SIEM solution. – Ensure that the process of correlating events is easy.
  • 14.
    #4. Log Retention •SIEM solutions should automatically archive all log data from systems, devices & applications to a „centralized’ repository • Ensure that the SIEM solution has ‘Tamper Proof’ feature which „encrypts’ and „time stamps’ them for compliance and forensics purposes • Ease of retrieving and analyzing archived log data
  • 15.
    #5. IT ComplianceReports • IT compliance is the core of every SIEM solution • Ensure that the SIEM solution has out- of-the-box regulatory compliance reports such as PCI DSS, FISMA, GLBA, SOX, HIPAA, etc. • SIEM solutions should also have the capability to customize and build new compliance reports to comply with future regulatory acts
  • 16.
    #6. File IntegrityMonitoring • File integrity monitoring helps security professionals in monitoring business critical files and folders. • Ensure that the SIEM solution tracks and reports on all changes happening such as when files and folders are created, accessed, viewed, deleted, modified, renamed and much more. • The SIEM solution should also send real- time alerts when unauthorized users access critical files and folders
  • 17.
    #7. Log Forensics •SIEM solutions should allow users to track down a intruder or the event activity using log search capability • The log search capability should be very intuitive and user-friendly, allowing IT administrators to search through the raw log data quickly
  • 18.
    #8. Dashboards • Dashboardsdrive SIEM solutions and help IT administrators take timely action and make the right decisions during network anomalies. • Security data must be presented in a very intuitive and user-friendly manner. • The dashboard must be fully customizable so that IT administrators can configure the security information they wish to see.
  • 19.
    8 Critical Things– At a glance
  • 20.
    Business Benefits ofSIEM Solutions • Real-time Monitoring – For operational efficiency and IT security purposes • Cost Saving • Compliance • Reporting • Rapid ROI
  • 21.
    ManageEngine‟s SIEM Offering –Easy of deploy – Cost-effective – Customizable dashboard with drag and drop widgets – Uses both Agent and Agentless log collection mechanism
  • 22.
    Universal Log Collection –Supports heterogeneous log sources – Universal log collection capability helps index any type of log regardless of the format and source – Allows you to index log data and generate reports for custom in- house/proprietary applications
  • 23.
    Real Time EventCorrelation and Log Forensics – Correlation using Search: Correlate events using log search with Wild- cards, Phrases and Boolean operators – Correlation using Alerts: Correlate events using custom and predefined alerts to mitigate threats in real-time – Notifications are send in real-time via Email and SMS – Conduct root cause analysis by diving into raw logs and generate forensic reports in minutes!
  • 24.
  • 25.
    Get your 30Day Free Trial Now! www.eventloganalyzer.com
  • 26.
  • 27.
    Conclusion • A SIEMsolution can provide enormous security benefits to the company by protecting the network with real-time log analysis. • Most organizations think that SIEM solutions have a steep learning curve and are expensive, complex, and hard to deploy. • This claim may be true about many SIEM vendors. However, the right SIEM solution is one that can be easily deployed, is cost-effective, and meets all your IT security needs with a single tool.
  • 28.

Editor's Notes

  • #9 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/