This document discusses key considerations for choosing a SIEM (security information and event management) solution. It begins with an overview of ManageEngine, a provider of IT management software. It then discusses the importance of log management and security event monitoring. The document outlines 8 critical factors to consider when selecting a SIEM solution: log collection capabilities, user activity monitoring, real-time event correlation, log retention, compliance reporting, file integrity monitoring, log forensics, and dashboards. It presents ManageEngine's SIEM offering and highlights its ease of deployment, cost-effectiveness, customizable dashboards, and universal log collection. The presentation concludes with a Q&A.

1. SIEM
Your Complete IT Security Arsenal
8 Things You Should Know About Choosing an SIEM Solution
Joel Fernandes
Sr. Product Marketing Analyst
SIEM Solutions
ManageEngine
joeljohn.f@manageengine.com
Speaker

2. Webinar “Housekeeping” Tips
• Use the “question” box in the lower right corner to
submit your questions
• Questions will be answered during the Q&A session
at the end of the webinar
• We will do our best to answer as many questions as
possible in the allotted time
• This webinar is getting recorded and will be shared
to you via email

3. Agenda
• About ManageEngine
• Log management challenges
• What is SIEM?
• Why is SIEM necessary?
• 2012 Data Breach Analysis
• Typical working of an SIEM solution
• 8 critical things you should know about choosing an SIEM solution
• Business benefits of SIEM solutions
• ManageEngine SIEM product offering – Overview
• Quick Demo - ManageEngine SIEM product offering
• Conclusion
• Q&A

4. About ManageEngine
– IT Management Software division of Zoho
Corporation
– Established in 2002
– ManageEngine covers the complete gamut of
IT solutions
• 21 Products | 20 Free tools | 2 SAAS
offerings
– Trusted by over 72,000 customers across
200+ countries
– 3 out of every 5 Fortune 500 companies are
ManageEngine customers

5. Log Management Challenges
• Analyzing Logs for Relevant Security
Intelligence
• Centralizing Log Collection
• Meeting IT Compliance
Requirements
• Conducting Effective Root Cause
Analysis
• Making Log Data More Meaningful
• Tracking Suspicious User Behavior

6. What is SIEM?
• The term „SIEM‟ was coined by Mark Nicolett
and Amrit Williams (Gartner Analysts) in 2005
• In simple words, SIEM is a combination of
two different types of technologies:
– SIM (Security Information Management) that
focuses on log collection and report generation
– SEM (Security Event Manager) that analyzes
events in real-time using event correlation and
alerting mechanism
• SIEM technology provides network security
intelligence and real-time monitoring for
network devices, systems, and applications

7. Typical Working of an SIEM Solution

8. Why is SIEM necessary?
 Rise in data breaches due to internal and external threats
 Attackers are smart and traditional security tools just don‟t suffice
 Mitigate sophisticated cyber-attacks
 Manage increasing volumes of logs from multiple sources
 Meet stringent compliance requirements
Biggest Data Breaches in 2013
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

9. 2012 Data Breach Analysis
Source: Verizon 2013 Data Breach Investigations Report
Threat categories over timeVictims

10. 8 Things You Should Know About
Choosing an SIEM Solution

11. #1. Log Collection
• Universal Log Collection to collect logs from
heterogeneous sources (Windows systems, Unix/Linux
systems, applications, databases, routers, switches, and
other devices)
• Log collection method - agent-based or
agentless
– Both Recommended
• Centralized log collection
• Events Per Second (EPS) – Rate at which
your IT infrastructure sends events.
– If not calculated properly the SIEM solution will start
dropping events before they are stored in the
database leading to incorrect reports, search results,
alerts, and correlation.

12. #2. User Activity Monitoring
• SIEM solutions should have Out-of-the-box
user activity monitoring, Privileged user
monitoring and audit (PUMA) reporting
feature
• Ensure that the SIEM solution gives the
‘Complete audit trail’
– Know which user performed the action,
what was the result of the action, on
what server it happened, and user
workstation/device from where the
action was triggered.

13. #3. Real Time Event Correlation
• Real-time event correlation is all about
proactively dealing with threats
• Correlation boosts network security by
processing millions of events simultaneously
to detect anomalous events on the network
• Correlation can be based on log search,
rules and alerts
– Predefined rules and alerts are not
sufficient. Custom rule and alert builder
is a must for every SIEM solution.
– Ensure that the process of correlating
events is easy.

14. #4. Log Retention
• SIEM solutions should automatically
archive all log data from systems,
devices & applications to a
„centralized’ repository
• Ensure that the SIEM solution has
‘Tamper Proof’ feature which
„encrypts’ and „time stamps’ them
for compliance and forensics
purposes
• Ease of retrieving and analyzing
archived log data

15. #5. IT Compliance Reports
• IT compliance is the core of every SIEM
solution
• Ensure that the SIEM solution has out-
of-the-box regulatory compliance
reports such as PCI DSS, FISMA,
GLBA, SOX, HIPAA, etc.
• SIEM solutions should also have the
capability to customize and build new
compliance reports to comply with
future regulatory acts

16. #6. File Integrity Monitoring
• File integrity monitoring helps security
professionals in monitoring business
critical files and folders.
• Ensure that the SIEM solution tracks and
reports on all changes happening such as
when files and folders are created,
accessed, viewed, deleted, modified,
renamed and much more.
• The SIEM solution should also send real-
time alerts when unauthorized users
access critical files and folders

17. #7. Log Forensics
• SIEM solutions should allow users to
track down a intruder or the event
activity using log search capability
• The log search capability should be very
intuitive and user-friendly, allowing IT
administrators to search through the raw
log data quickly

18. #8. Dashboards
• Dashboards drive SIEM solutions and
help IT administrators take timely action
and make the right decisions during
network anomalies.
• Security data must be presented in a
very intuitive and user-friendly manner.
• The dashboard must be fully
customizable so that IT administrators
can configure the security information
they wish to see.

19. 8 Critical Things – At a glance

20. Business Benefits of SIEM Solutions
• Real-time Monitoring
– For operational efficiency
and IT security purposes
• Cost Saving
• Compliance
• Reporting
• Rapid ROI

21. ManageEngine‟s SIEM Offering
– Easy of deploy
– Cost-effective
– Customizable dashboard
with drag and drop
widgets
– Uses both Agent and
Agentless log collection
mechanism

22. Universal Log Collection
– Supports heterogeneous
log sources
– Universal log collection
capability helps index any
type of log regardless of
the format and source
– Allows you to index log
data and generate reports
for custom in-
house/proprietary
applications

23. Real Time Event Correlation and Log Forensics
– Correlation using Search: Correlate
events using log search with Wild-
cards, Phrases and Boolean operators
– Correlation using Alerts: Correlate
events using custom and predefined
alerts to mitigate threats in real-time
– Notifications are send in real-time via
Email and SMS
– Conduct root cause analysis by diving
into raw logs and generate forensic
reports in minutes!

24. 5,000+ customers across 110+ countries

25. Get your 30 Day Free Trial Now!
www.eventloganalyzer.com

26. Quick Glance

27. Conclusion
• A SIEM solution can provide enormous security benefits to the company by
protecting the network with real-time log analysis.
• Most organizations think that SIEM solutions have a steep learning curve
and are expensive, complex, and hard to deploy.
• This claim may be true about many SIEM vendors. However, the right
SIEM solution is one that can be easily deployed, is cost-effective, and
meets all your IT security needs with a single tool.

28. Q&A