SlideShare a Scribd company logo
Security Information &
Event Management
Background on Network Components
 Router
 IPS/IDS

 Firewall
 Switch (L2 & L3)

 Servers (Application, Database, etc.)
 Demilitarized Zone (DMZ)

 Virtual Private Network

2
Defense in Depth

3
Typical Corporate Environment

4
Log Management

5

 Log management (LM) comprises an approach to
dealing with large volumes of computer-generated log
messages (also known as audit records, audit trails,
event-logs, etc.).
 LM covers log collection, centralized aggregation, longterm retention, log analysis (in real-time and in bulk
after storage) as well as log search and reporting.
Log Management

6
Log Management Challenges
 Analyzing Logs for Relevant Security Intelligence
 Centralizing Log Collection
 Meeting IT Compliance Requirements
 Conducting Effective Root Cause Analysis
 Making Log Data More Meaningful
 Tracking Suspicious User Behavior

7
Introduction to SIEM

8

 The term Security Information Event Management
(SIEM), coined by Mark Nicolett and Amrit Williams of
Gartner in 2005.
 Describes the product capabilities of gathering,
analyzing and presenting information from network and
security devices; identity and access management
applications; vulnerability management and policy
compliance tools; operating system, database and
application logs; and external threat data.
Introduction to SIEM

9

 Security Information and Event Management (SIEM) is a term
for software and products services combining security
information management (SIM) and security event manager
(SEM).
 The acronyms SEM, SIM and SIEM have been sometimes used
interchangeably.
 The segment of security management that deals with real-time
monitoring, correlation of events, notifications and console views
is commonly known as Security Event Management (SEM).
 The second area provides long-term storage, analysis and
reporting of log data and is known as Security Information
Management (SIM).
Key Objectives




Identify threats and possible breaches
Collect audit logs for security and compliance
Conduct investigations and provide evidence

10
SIEM vs LM

11

Functionality

Security Information and Event
Management (SIEM)

Log Management (LM)

Log collection

Collect security relevant logs + context
data
Parsing, normalization, categorization,
enrichment

Collect all logs

Indexing, parsing or
none

Log retention

Retail parsed and normalized data

Retain raw log data

Reporting
Analysis

Security focused reporting
Correlation, threat scoring, event
prioritization

Broad use reporting
Full text analysis,
tagging

Alerting and
notification

Advanced security focused reporting

Simple alerting on all
logs

Other features

Incident management, analyst workflow,
context analysis, etc.

High scalability of
collection and storage

Log pre-processing
Why is SIEM Necessary?
 Rise in data breaches due to internal and external
threats
 Attackers are smart and traditional security tools
just don’t suffice
 Mitigate sophisticated cyber-attacks
 Manage increasing volumes of logs from multiple
sources
 Meet stringent compliance requirements

12
Elements of SIEM
Monitored Events

Event Collection

Core Engine

User Interface

13
Typical Features of SIEM

14
BIG 3 for SIEM

15

Compliance

SIEM

Security

Operations
SIEM Process Flow

Data
Collection

Extract
Intelligent
Information

16

Add Value

Presentation
Dashboards
& Reports
Typical Working of an SIEM Solution

17
SIEM Architecture
18

System Inputs

Event Data
Operating Systems
Applications
Devices
Databases

Data
Collection
Normalization

Contextual Data
Vulnerability Scans
User Information
Asset Information
Threat Intelligence

SIEM

System Outputs
Analysis
Reports
Real Time Monitoring

Correlation
Logic/Rules
Aggregation
Context

19
Adding Context
Examples of context
 Add geo-location information
 Get information from DNS servers
 Get User details (Full Name, Job Title & Description)

Add context aids in identifying
 Access from foreign locations
 Suspect data transfer

20
21

8 Critical Features of SIEM
#1. Log Collection

22

 Universal Log Collection
 To collect logs from heterogeneous sources
(Windows systems, Unix/Linux systems,
applications, databases, routers, switches, and
other devices).

 Log collection method - agent-based
or agentless
 Both Recommended

 Centralized log collection
 Events Per Second (EPS) – Rate at
which your IT infrastructure sends
events
 If not calculated properly the SIEM solution will
start dropping events before they are stored in
the database leading to incorrect reports,
search results, alerts, and correlation.
#2. User Activity Monitoring

23

 SIEM solutions should have Out-ofthe-box user activity monitoring,
Privileged user monitoring and audit
(PUMA) reporting feature.
 Ensure that the SIEM solution gives
the „Complete audit trail‟
 Know which user performed the action, what
was the result of the action, on what server it
happened, and user workstation/device from
where the action was triggered.
#3. Real Time Event Correlation

A
D

B
C

24

 Real-time event correlation is all
about proactively dealing with
threats.
 Correlation boosts network security
by processing millions of events
simultaneously to detect anomalous
events on the network.
 Correlation can be based on log
search, rules and alerts
 Predefined rules and alerts are not sufficient.
Custom rule and alert builder is a must for
every SIEM solution.
 Ensure that the process of correlating
events is easy.
#4. Log Retention

25

 SIEM solutions should automatically
archive all log data from systems,
devices & applications to a
‘centralized‟ repository.
 Ensure that the SIEM solution has
„Tamper Proof‟ feature which
‘encrypts‟ and ‘time stamps‟ them
for
compliance
and
forensics
purposes.
 Ease of retrieving and analyzing
archived log data.
#5. IT Compliance Reports

26

 IT compliance is the core of every
SIEM solution.
 Ensure that the SIEM solution has
out-of-the-box regulatory compliance
reports such as PCI DSS, FISMA,
GLBA, SOX, HIPAA, etc.
 SIEM solutions should also have the
capability to customize and build new
compliance reports to comply with
future regulatory acts.
#6. File Integrity Monitoring

27

 File integrity monitoring helps security
professionals in monitoring business
critical files and folders.
 Ensure that the SIEM solution tracks
and reports on all changes happening
such as when files and folders are
created, accessed, viewed, deleted,
modified, renamed and much more.
 The SIEM solution should also send
real-time alerts when unauthorized
users access critical files and folders.
#7. Log Forensics

28

 SIEM solutions should allow users to
track down a intruder or the event
activity using log search capability.
 The log search capability should be
very intuitive and user-friendly,
allowing IT administrators to search
through the raw log data quickly.
#8. Dashboards

29

 Dashboards drive SIEM solutions
and help IT administrators take
timely action and make the right
decisions during network anomalies.
 Security data must be presented in a
very intuitive and user-friendly
manner.
 The dashboard must be fully
customizable
so
that
IT
administrators can configure the
security information they wish to see.
30

Deployment Options
Self-Hosted, Self-Managed

31
Self-Hosted, MSSP-Managed

32
Self-Hosted, Jointly-Managed

33
Cloud, MSSP-Managed

34
Cloud, Jointly-Managed

35
Cloud, Self-Managed

36
Hybrid-Model, Jointly-Managed

37
Why SIEM implementation fails?
 Lack of Planning


No defined scope

 Faulty Deployment Strategies



Incoherent log management data collection
High volume of irrelevant data can overload the system

 Operational



Lack of management oversight
Assume plug and play

“Security is a process, not a product”

38
Business Benefits

39

 Real-time Monitoring
 For operational efficiency and IT
security purposes

 Cost Saving
 Compliance
 Reporting
 Rapid ROI
Q&A

40
41

THANK YOU

More Related Content

What's hot

An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
Osama Ellahi
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
IBM Security
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
neoalt
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdf
PencilData
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 

What's hot (20)

An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
SIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdf
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 

Similar to Security Information and Event Management (SIEM)

Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
karthikvcyber
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
 LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
rver21
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
ManageEngine EventLog Analyzer
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Deepak Mishra
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
Merlin Govender
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
Information Security Awareness Group
 
LTS Secure SIEM Features
LTS Secure SIEM Features LTS Secure SIEM Features
LTS Secure SIEM Features
rver21
 
Siem pdf
Siem pdfSiem pdf
Siem pdf
kmehul
 
LTS Secure intelligence driven security operation center
LTS Secure intelligence driven security operation centerLTS Secure intelligence driven security operation center
LTS Secure intelligence driven security operation center
rver21
 
Intelligence driven SOC as a Service
Intelligence driven SOC as a ServiceIntelligence driven SOC as a Service
Intelligence driven SOC as a Service
rver21
 
LTS Secure SOC as a Service
LTS Secure SOC as a ServiceLTS Secure SOC as a Service
LTS Secure SOC as a Service
rver21
 
Siem tools-monitor-your-network
Siem tools-monitor-your-networkSiem tools-monitor-your-network
Siem tools-monitor-your-network
hardik soni
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
Ajit Wadhawan
 

Similar to Security Information and Event Management (SIEM) (20)

Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
 LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
LTS Secure SIEM Features
LTS Secure SIEM Features LTS Secure SIEM Features
LTS Secure SIEM Features
 
Siem pdf
Siem pdfSiem pdf
Siem pdf
 
LTS Secure intelligence driven security operation center
LTS Secure intelligence driven security operation centerLTS Secure intelligence driven security operation center
LTS Secure intelligence driven security operation center
 
Intelligence driven SOC as a Service
Intelligence driven SOC as a ServiceIntelligence driven SOC as a Service
Intelligence driven SOC as a Service
 
LTS Secure SOC as a Service
LTS Secure SOC as a ServiceLTS Secure SOC as a Service
LTS Secure SOC as a Service
 
Siem tools-monitor-your-network
Siem tools-monitor-your-networkSiem tools-monitor-your-network
Siem tools-monitor-your-network
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
 

More from k33a

Audit Principles
Audit PrinciplesAudit Principles
Audit Principles
k33a
 
An Overview of Consumer Privacy Regulations for TSPs in India
An Overview of Consumer Privacy Regulations for TSPs in IndiaAn Overview of Consumer Privacy Regulations for TSPs in India
An Overview of Consumer Privacy Regulations for TSPs in India
k33a
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
k33a
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
k33a
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
k33a
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)
k33a
 
The Communist Manifesto
The Communist ManifestoThe Communist Manifesto
The Communist Manifesto
k33a
 

More from k33a (7)

Audit Principles
Audit PrinciplesAudit Principles
Audit Principles
 
An Overview of Consumer Privacy Regulations for TSPs in India
An Overview of Consumer Privacy Regulations for TSPs in IndiaAn Overview of Consumer Privacy Regulations for TSPs in India
An Overview of Consumer Privacy Regulations for TSPs in India
 
Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)Transmission Control Protocol (TCP)
Transmission Control Protocol (TCP)
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)
 
The Communist Manifesto
The Communist ManifestoThe Communist Manifesto
The Communist Manifesto
 

Security Information and Event Management (SIEM)

  • 2. Background on Network Components  Router  IPS/IDS  Firewall  Switch (L2 & L3)  Servers (Application, Database, etc.)  Demilitarized Zone (DMZ)  Virtual Private Network 2
  • 5. Log Management 5  Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.).  LM covers log collection, centralized aggregation, longterm retention, log analysis (in real-time and in bulk after storage) as well as log search and reporting.
  • 7. Log Management Challenges  Analyzing Logs for Relevant Security Intelligence  Centralizing Log Collection  Meeting IT Compliance Requirements  Conducting Effective Root Cause Analysis  Making Log Data More Meaningful  Tracking Suspicious User Behavior 7
  • 8. Introduction to SIEM 8  The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005.  Describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data.
  • 9. Introduction to SIEM 9  Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM).  The acronyms SEM, SIM and SIEM have been sometimes used interchangeably.  The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM).  The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM).
  • 10. Key Objectives    Identify threats and possible breaches Collect audit logs for security and compliance Conduct investigations and provide evidence 10
  • 11. SIEM vs LM 11 Functionality Security Information and Event Management (SIEM) Log Management (LM) Log collection Collect security relevant logs + context data Parsing, normalization, categorization, enrichment Collect all logs Indexing, parsing or none Log retention Retail parsed and normalized data Retain raw log data Reporting Analysis Security focused reporting Correlation, threat scoring, event prioritization Broad use reporting Full text analysis, tagging Alerting and notification Advanced security focused reporting Simple alerting on all logs Other features Incident management, analyst workflow, context analysis, etc. High scalability of collection and storage Log pre-processing
  • 12. Why is SIEM Necessary?  Rise in data breaches due to internal and external threats  Attackers are smart and traditional security tools just don’t suffice  Mitigate sophisticated cyber-attacks  Manage increasing volumes of logs from multiple sources  Meet stringent compliance requirements 12
  • 13. Elements of SIEM Monitored Events Event Collection Core Engine User Interface 13
  • 15. BIG 3 for SIEM 15 Compliance SIEM Security Operations
  • 17. Typical Working of an SIEM Solution 17
  • 18. SIEM Architecture 18 System Inputs Event Data Operating Systems Applications Devices Databases Data Collection Normalization Contextual Data Vulnerability Scans User Information Asset Information Threat Intelligence SIEM System Outputs Analysis Reports Real Time Monitoring Correlation Logic/Rules Aggregation
  • 20. Adding Context Examples of context  Add geo-location information  Get information from DNS servers  Get User details (Full Name, Job Title & Description) Add context aids in identifying  Access from foreign locations  Suspect data transfer 20
  • 22. #1. Log Collection 22  Universal Log Collection  To collect logs from heterogeneous sources (Windows systems, Unix/Linux systems, applications, databases, routers, switches, and other devices).  Log collection method - agent-based or agentless  Both Recommended  Centralized log collection  Events Per Second (EPS) – Rate at which your IT infrastructure sends events  If not calculated properly the SIEM solution will start dropping events before they are stored in the database leading to incorrect reports, search results, alerts, and correlation.
  • 23. #2. User Activity Monitoring 23  SIEM solutions should have Out-ofthe-box user activity monitoring, Privileged user monitoring and audit (PUMA) reporting feature.  Ensure that the SIEM solution gives the „Complete audit trail‟  Know which user performed the action, what was the result of the action, on what server it happened, and user workstation/device from where the action was triggered.
  • 24. #3. Real Time Event Correlation A D B C 24  Real-time event correlation is all about proactively dealing with threats.  Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the network.  Correlation can be based on log search, rules and alerts  Predefined rules and alerts are not sufficient. Custom rule and alert builder is a must for every SIEM solution.  Ensure that the process of correlating events is easy.
  • 25. #4. Log Retention 25  SIEM solutions should automatically archive all log data from systems, devices & applications to a ‘centralized‟ repository.  Ensure that the SIEM solution has „Tamper Proof‟ feature which ‘encrypts‟ and ‘time stamps‟ them for compliance and forensics purposes.  Ease of retrieving and analyzing archived log data.
  • 26. #5. IT Compliance Reports 26  IT compliance is the core of every SIEM solution.  Ensure that the SIEM solution has out-of-the-box regulatory compliance reports such as PCI DSS, FISMA, GLBA, SOX, HIPAA, etc.  SIEM solutions should also have the capability to customize and build new compliance reports to comply with future regulatory acts.
  • 27. #6. File Integrity Monitoring 27  File integrity monitoring helps security professionals in monitoring business critical files and folders.  Ensure that the SIEM solution tracks and reports on all changes happening such as when files and folders are created, accessed, viewed, deleted, modified, renamed and much more.  The SIEM solution should also send real-time alerts when unauthorized users access critical files and folders.
  • 28. #7. Log Forensics 28  SIEM solutions should allow users to track down a intruder or the event activity using log search capability.  The log search capability should be very intuitive and user-friendly, allowing IT administrators to search through the raw log data quickly.
  • 29. #8. Dashboards 29  Dashboards drive SIEM solutions and help IT administrators take timely action and make the right decisions during network anomalies.  Security data must be presented in a very intuitive and user-friendly manner.  The dashboard must be fully customizable so that IT administrators can configure the security information they wish to see.
  • 38. Why SIEM implementation fails?  Lack of Planning  No defined scope  Faulty Deployment Strategies   Incoherent log management data collection High volume of irrelevant data can overload the system  Operational   Lack of management oversight Assume plug and play “Security is a process, not a product” 38
  • 39. Business Benefits 39  Real-time Monitoring  For operational efficiency and IT security purposes  Cost Saving  Compliance  Reporting  Rapid ROI