Typical Hybrid Approach for SIEM
In the field of IT, Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event manager). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.
The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM). As with many meanings and definitions of capabilities evolving requirements continually shape derivatives of SIEM product categories. The need for voice centric visibility or vSIEM (voice security information and event management) is a recent example of this evolution.
The term Security Information Event Management (SIEM), in general, describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.
To be truly SIEM solution, need to meet the following criteria:
- Data Aggregation: SIEM/LM (log management) solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
- Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution
- Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
- Dashboards: SIEM/LM tools take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
- Compliance: SIEM applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
- Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring. Pure SIEM approach, typical SIEM Dashboard
For the enterprise, corporate and government context, as the numbers of network device, security device, server, critical system and business critical applications growing, so do the need for the centralise security event log monitoring and archive is always there for the minimum. Some client will go for low cost point solution, end up with lot of manual work to get the reporting and incident investigation or auditing work to be done, while other will go for the systematic approach to get the things done in the way simplify their time and allow them to focus on get the real intrusion and act on it, as well as for other department user to get their things done (i.e. typical team work and multi user system).
For the coming technology session, E-SPIN will arrange series of related solution to use as the hand on and to look into the common Security Event Log Management, from set up to automatically collect, store, archive, back-up, analyse and report on Syslog, Windows events logs, or W3C logs generated by said Web Application Servers, Load Balancers, Firewalls, Proxy Servers or Content Security appliances. Add Event Log Monitoring to secure network and protect key information.
We will look into how to reduce exposure to security breaches, malware, loss or damage, and protect your organisation against costly financial penalties and legal liabilities.
In specific, we look into “how-to” aspect to run Security Operation Center (SOC) context:
- automatically collect, store, archive and backup all log files with the intent for multi year data storage, cryptographic hashing
- monitor windows event and syslog data in real-time to receive alerts and notification at the first sign of trouble
- filter, analyse and report on log data to verify the success of internal security policies, and demonstrate regulatory compliance
- generate compliance-centric reports for IT personnel, security and compliance officers, and even law enforcement agencies
- spot check and review log files much faster to quickly respond to an emergency incident, and
the practical matter that most vendor want to hide from you regard the following matter – how to do about it:
- integration and share the data with Network Operation Center (NOC) / Security Command Center or other 3rd party Network Management System (NMS) / Intrusion Detection and Prevention System (IDS/IPS/IDP) System integration / Passive Real time vulnerability detection and Active Vulnerability Scan / Regulatory Compliance
Please stay tune to our newsletter and how to register for the series of events. If you have yet subscribe for E-SPIN newsletter, it is the good time to subscriber for. Non-sense and truly value added newsletter with practical information and came with event with the specific theme or area of focus your may involve and participate.
If you have any inquiry or questions, feel free to contact E-SPIN for solution, product and project requirements.