Security Information and Event Management
Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology.
It and practice of collecting, monitoring, analyzing and co-relating security logs from security devices for event management.
Logs can be collected from sources like Antivirus, IPS-IDS,
Firewalls, AD, Routers, Switches, Mail & Web gateways,
Proxy's etc.
Firewalls, AD, Routers, Switches, Mail & Web gateways,
Proxy's etc.
What SIEM is ?
SIEM generally is an software agent running on the security
devices that are to be monitored. The agent then sends security logs to centralized server which is an log collector from where the logs are been monitored by SOC team for log co-relation and incident management.
The SIEM shows a typical console which can include reports,
charts and also real-time information.
charts and also real-time information.
How SIEM works ?
Devices and computer applications generally creates events
which can be application events, security events or even
hardware events. These are kept in event logs.
They are the list which says all the happening one by one in
line.
which can be application events, security events or even
hardware events. These are kept in event logs.
They are the list which says all the happening one by one in
line.
SIEM agent uses protocols like Syslog or SNMP to transport
this events to the SIEM log collector.
The logs are then stored on the SIEM log collector.
The SOC/SIEM team sitting behind the log collector than analyses and co-relate the logs with the help of Event manager which is an device having its own intelligence.
The event created must have few bullet points such as:
1. Event ID.2. Brief summary of the event.
3. Priority of the event (High/Medium/Low).
4. Time the event hit.
5. Source IP/ Mail ID/ Hash etc.
6. Destination IP/ Mail ID/ System.
7. Action/ Recommendation on the event.
Important features of SIEM:
Data Aggregation:
SIEM aggregates security events in form a log from various security and non security devices for data monitoring and event management purpose.
Co-relation:
SIEM looks for common links between events to make a meaningful event. Logs from different sources are co-related for making a single event.
Alerting:
Alerting is the main feature of SIEM, once the collected logs are co-related to create a security event, alerting is the next step. The operations team has to be alerted for the incoming threat.
Dashboards:
SIEM also provides with informational charts and diagrams in a dashboard manner which makes things easy to understand.
No comments:
Post a Comment