SIEM systems provide security event monitoring and log management by collecting security data from across an organization's network and systems. The first SIEM was developed in 1996 and major players today include IBM QRadar, HP ArcSight, and McAfee Nitro. SIEMs aggregate logs from various sources, use correlation engines to identify related security events, and generate alerts when multiple events indicate a higher risk threat. They provide visibility across an organization's security infrastructure and help with compliance, operations, and forensic investigations. SIEM is important for threat detection, compliance, and gaining insights from security event data.

1. SIEM

2. Brief history of SIEM!!!
 1996 – Birth of SIEM
 2000 – SIEM winner: ArcSight launches
 Big players in the market
ArcSight-HP
QRadar-IBM
Nitro-McAfee
SecureVue–EiQ
Splunk, RSA envision and so on….

3. What is a SIEM??
 SIEM - Security Information Event Management
 Logging and Event Aggregation
 Network (Routers, Switches, Firewall ,etc.)
 System (Server ,workstation ,etc.)
 Application (Web, DB, etc.)
 Correlation Engine
 2+ related events = higher alarm

4. SIEM Advantages
 Correlation of data from multiple systems
 Prioritization based on risk of threat to assets
 Alerting and monitoring on events of interest to escalate
priority
 Monitor and log the access and use of sensitive data
 Limits exposure to breach
 Allows organizations to demonstrate adherence to polices
and controls

5. Present world !!!
 Attackers are more sophisticated in their attacks.
 Defenders need systems which help provide visibility and
altering across numerous security systems.
 SIEM adoption driven by compliance
 Gartner says “more than 80%”
 Put “Security” back into SIEM using real world examples.

6. 5 reasons why SIEM is important…
 Compliance
 Operations Support
 Zero-day & APT
 Forensics

7. FIM

8. What does it do
 Directory Policy
 File Policy
 Registry Policy
 USB Policy

9. SIEM – It’s usage
How is SIEM helpful in the following Security concerns??
 Countermeasures to detect attempts to infect internal
system
 Identification of infected systems
 Mitigation of risk for infected systems
 Detection of outbound sensitive information ( DLP)

10. "Sep 01 2015 01:52:37: %ASA-4-402119:
IPSEC: Received an ESP packet (SPI=
0x8C623E78, sequence number= 0x193D)
from xxx.xxx.xxx.xxx (user= ezvpn2) to
xxx.xxx.xxx.xxx that failed anti-replay
checking. "
uid=asa1.int.xnxx.edu ip=10.1.9.55
extip=10.1.9.55 sev=local6.warn
ec=402119 et=3 sip=
xxx.xxx.xxx.xxx dip=xxx.xxx.xxx.xxx npri=4
dir=1 sgrp=Extranet dgrp=Extranet
proto=IPSEC act=1 family=Others
user=ezvpn2 cnt=1 msg="Invalid
sequence number in the recvd. IPSEC packet."
seq=0x193D ecat=System
ecatsubcat=Error ecatresult=Attemp
RAW log  Parsed logRAW log

11. Architecture

13. Screens 

14. Dashboard

15. Creating Alert

16. Triggered Alerts

17. Forensic Search

18. Asset Configuration

19. Alarms

20. Generated Events

21. Ticketing System for Customers

22. Reports