Evolution of SIEM

SIEM tool is the heart of the modern SOC. For most of the security processes SIEM tool lays the foundation and saves the effort of all security analysts. SIEM brings in a huge amount of log data from many different assets which belongs to the organization.

SIEM Security is nothing but the integration of all security tools, monitoring tools, servers, cloud workloads and endpoints to SIEM solution. A SIEM tool collects log data and event data from all the systems, analyze and generate alerts when there are any suspicious activities identified which can lead to a security incident.

All SIEM solutions have three main stages:

1. Data Collection - Collecting log and event data from all the assets of organization - systems, devices, endpoints, apps, security tools, network devices, etc.

2. Data Consolidation - Normalizing and categorizing the collected raw data which can be used by soc analysts to perform analysis. Categorizing data can be done by using origin of the user, systems accessed, credentials, performance and more.

3. Data Analysis - Normalized and categorized data is analyzed and is checked for abnormal or suspicious events which raises an alert on SIEM tool.

Evolution of SIEM:

First Gen SIEM - Introduced in 2005, combination of SIM and SEM. It can process only limited scale of data and generate sophisticated alerts and visualizations.

  • LMS - Log Management Systems: Collection and storage of log data.
  • SIM - Security Information Management: Automation tools used to collect log data. Long-term log data storage, analysis and reporting on collected log data.
  • SEM - Security Event Management: Real-time monitoring and correlation of systems and events with dashboard view and notifications.

Second Gen SIEM - They can consume large volumes of data and can handle big data of historical logs. These second generation SIEMs can correlate historical log data with real time events and data from threat intelligence feeds.  

Third Gen SIEM / Next Gen SIEM - Proposed by Gartner in 2017. Two new technologies are integrated with these SIEMs - UEBA and SOAR. User and Entity Behavior Analytics (UEBA) uses Machine Learning (ML) in establishing behavioral baselines of all users, systems, endpoints, apps, tools which helps in identifying any anomalies. Security Automation, Orchestration and Response (SOAR) helps analysts in quickly investigating incidents and automate response in case of a event.

Importance of SIEM:

SIEM tool importance in organizations:

  1. Log management, case management.
  2. Compliance regulations - PCI DSS, PII, HIPAA, SOX, etc. and policy enforcement.
  3. Security monitoring, incident response.
  4. Threat Intelligence
  5. Data Intelligence
  6. Disaster Recovery
  7. Normalization and Categorization of log data.
  8. Analyzing, alerting and reporting.

Next Gen SIEM Features:

Third Gen SIEM solutions offers some new features:

  1. UEBA - Advanced users / entity behavior analytics which can detect anomalies by monitoring behaviors of users and entities in organization. SIEMs with UEBA use cases:
    • Compromised Insider
    • Malicious Insider
    • Data Loss Prevention
    • Alert Triage
  2. SOAR - Automation and orchestration of incident response.
  3. Dashboards and Visualizations.
  4. Long term data retention and unlimited scalability.
  5. Flexible searching, querying, reporting, and data exploration.
  6. Threat hunting interface.
  7. Forensic Analysis

Comments

Post a Comment

Popular posts from this blog

SOC Types and Roles

Image
  Types of SOC Models Each organization has its own requirements and budget allocated to SOC. So, there are several types of SOC based on those requirements and budget: In-House SOC – Organization builds their own cybersecurity team. But such organization should have a budget to support the survival of the SOC team. Virtual SOC – SOC team does not have their own facility and works often from remote locations. Co-Managed SOC – Organization’s internal SOC team works with an external Managed Security Service Provider (MSSP). In this model, communication and coordination between internal and external teams is important. Command SOC – Senior and experienced SOC team overseeing the smaller SOCs in a large region. Major telecom providers and defense agencies operate on this model. SOC – People, Processes, and Technology A strong coordination between people, processes, and technologies is required to build a strong, capable and successful SOC. People – SOC needs highly trained employees who
Read more

SOC L1, L2 & L3 Analyst Responsibilities

Image
 What is SOC? - Go to Introduction to SOC SOC L1 Analyst Responsibilities: Monitoring SIEM tool and detecting incidents. Monitoring resources and assets, analyzing log data to identify any anomalies. Identifying true positives and false positives. Report incident to SOC and any other relevant teams. Escalating the incidents when SLA's are not met. Assisting SOC L2 & L3 Analysts in incident detection, workflow, remediations and resolutions. Communicate with the external teams for proper incident resolution. Monitoring SIEM health status. Follow up on escalated incidents. SOC L2 Analyst Responsibilities: Validating the incidents escalated by L1 Analysts. In depth investigation on the incidents. Recommending mitigation strategies to resolve the incident. Manage SIEM tool and updating the log baselines. Generating and delivering daily, weekly, and monthly reports on time. Incident knowledge base. Communicating with external entities to resolve any queries on the raised incidents. O
Read more

Introduction to SOC

Image
What is SOC? SOC is an abbreviation for Security Operations Center, a SOC improves any organization’s threat detection, incident response, threat prevention by unifying and coordinating all cybersecurity technologies and operations. A SOC is a team of IT security professionals who monitors 24×7 organization’s IT infrastructure to detect cybersecurity events in real time and respond to them effectively within a shortest period of time possible. SOC Activities and Responsibilities Preparation, planning and prevention Monitoring, detection and response Recovery, refinement and compliance 1. Preparation, planning and prevention Asset Inventory – SOC has a responsibility to maintain an inventory of the assets to identify which of them needs to be protected, assets can be inside or outside of datacenter. They can be databases, cloud services, applications, endpoints, servers or they can be tools used to protect the assets like firewalls, antivirus, antimalware, monitoring applications etc.
Read more