The document outlines the architecture and functionality of Security Incident Event Management (SIEM) systems, highlighting the importance of event collection, correlation, and reporting in security management. It discusses common challenges in SIEM implementation, such as inadequate planning and deployment strategies. The document also emphasizes the need for effective log management and compliance with security regulations.

1. SIEM Architecture
By
Nishanth Kumar Pathi

2. Nishanth Kumar Pathi
• Information Security Consultant
• null – moderator
• OWASP Contributor
• @nishanthkumarp
• http://nishanth.co.in

3. Typical Corporate Environment

4. Defense in Depth

5. Problem Statement
• Which events should be gathered ?
• How we manage the vast amount of logs and
information
• What and How should we parse, normalize and
time-correction ?
• How should the events be stored ?
• Identify data breach internal or external
• Mitigate cyber attacks.
• Meet Compliance Requirements.

6. What is SIEM
• Security Incident Event Management
• Real time monitoring of Servers, Network
Devices.
• Correlation of Events
• Analysis and reporting of Security Incidents.
• Threat Intelligence
• Long term storage

7. Evolution
• SIM – System* Information Management
• SEM - Security Event Management
• NBA – Network Based Analysis
• Log Management – Log file capture & Storage
• SIEM - SIM & SEM

8. Features of SIEM

9. What it can collect ?

10. Work Flow
Collect data
form log
sources
Correlates
Events
Alerts Security
incidents
Generates IT
security &
compliance
reports
Archive Logs
for Forensic
Analysis

11. SIEM Architecture

12. Dashboard

13. Implementation

14. Self Hosted , Self Managed

15. Cloud Hosted , Self Managed

16. Hybrid Model , Jointly Managed

17. Why SIEM Implementation Fails ?
• Lack of Planning
• Faulty Deployment Strategies.
• Operational Knowledge

18. Any Questions ?

19. Nishanth Kumar Pathi
• Information Security Consultant
• null – moderator
• OWASP Contributor
• @nishanthkumarp
• http://nishanth.co.in