What is SIEM? - Overview

SIEM - Security Information and Event Management, a security solution to address security threats and vulnerabilities which can interfere with organization's business operations. SIEM tool helps the organization's security team to detect any anomalies in its network and alerts the SOC team. Most recent SIEM tools have incorporated artificial intelligence (AI) which can help in automating most of the manual processes related to threat detection and incident response increasing productivity.

SIEM = SIM + SEM

SIM - Security Information Management

SEM - Security Event Management

SIEM is the combination of SIM and SEM, enabling the real-time monitoring and analysis of security events along with tracking and logging of security data for compliance / auditing. 

SIEM has evolved over the years and embedded UEBA - User & Entity Behavior Analytics along with many other security analytics and features like AI and machine learning to identify any abnormal or anomalous user behaviors which can indicate to advanced threats.

Key Features of a SIEM:

Log Management:

Event data is collected and feed to SIEM from a multiple sources of organization's whole IT infrastructure which may be from on-prem or cloud workloads, user logs from different endpoints, data sources, apps and network devices and also from antiviruses, anti-malwares, firewalls. Once event data is collected, SIM correlates the data and analyzes the data in real-time.

SIEM tools may also integrate threat intelligences from any third party to correlate their organization's internal security data against threat signatures and profiles which are previously identified. Real-time threat feed integration helps the security team to detect and block new types of attack signatures.

Event Correlation and Analytics:

Event Correlation is a key feature of SIEM which can provide insights that can help the security team to locate the potential threat and mitigate it before it can cause any damage to business. SIEM uses advanced analytics and understand the data patterns to identify the threats. By offloading the manual procedures related to deep analysis of events, SIEM improves the Mean Time to Detect - MTTD and Mean Time to Respond - MTTR.

Incident Monitoring and Security Alerts:

SIEM is a centralized solution which can consolidate all its analysis done into a single centralized dashboard where all the security team members can monitor activities, triaging security alerts, threat identification and incident response along with remediations. Security analysts can detect any spikes and trends in suspicious activities by Including real-time data visualization in SIEM dashboards. SIEM can alert administrators immediately by using customizable and predefined correlation rules which helps in mitigating the threats by taking appropriate actions before they can escalate to major security issues.

Compliance Management and Reporting:

Most of the organizations are subjected to different security regulatory compliances, for such organizations SIEM solutions are desired products. SIEM is considered a valuable tool for its automated data collection capabilities and for providing the analysis on the collected data. It is used for gathering and verifying compliance data across the business infrastructure. SIEM can generate real-time compliance reports for different compliance standards like HIPPA, SOX, PCI DSS, GDPR, etc. Modern-day SIEM have pre-built or third party integrated add-ons that can generate automated reports designed to meet compliance requirements.



Comments

Post a Comment

Popular posts from this blog

My Blog Posts - Navigate with URLs

Fundamentals of SOC Introduction to SOC - Click Here SOC Types and Roles - Click Here SOC Analyst Responsibilities - Click Here What is SIEM? - Overview - Click Here Evolution of SIEM - Click Here This post will be continuously updating with every new relevant post.
Read more

SOC L1, L2 & L3 Analyst Responsibilities

Image
 What is SOC? - Go to Introduction to SOC SOC L1 Analyst Responsibilities: Monitoring SIEM tool and detecting incidents. Monitoring resources and assets, analyzing log data to identify any anomalies. Identifying true positives and false positives. Report incident to SOC and any other relevant teams. Escalating the incidents when SLA's are not met. Assisting SOC L2 & L3 Analysts in incident detection, workflow, remediations and resolutions. Communicate with the external teams for proper incident resolution. Monitoring SIEM health status. Follow up on escalated incidents. SOC L2 Analyst Responsibilities: Validating the incidents escalated by L1 Analysts. In depth investigation on the incidents. Recommending mitigation strategies to resolve the incident. Manage SIEM tool and updating the log baselines. Generating and delivering daily, weekly, and monthly reports on time. Incident knowledge base. Communicating with external entities to resolve any queries on the raised incidents. O
Read more

SOC Types and Roles

Image
  Types of SOC Models Each organization has its own requirements and budget allocated to SOC. So, there are several types of SOC based on those requirements and budget: In-House SOC – Organization builds their own cybersecurity team. But such organization should have a budget to support the survival of the SOC team. Virtual SOC – SOC team does not have their own facility and works often from remote locations. Co-Managed SOC – Organization’s internal SOC team works with an external Managed Security Service Provider (MSSP). In this model, communication and coordination between internal and external teams is important. Command SOC – Senior and experienced SOC team overseeing the smaller SOCs in a large region. Major telecom providers and defense agencies operate on this model. SOC – People, Processes, and Technology A strong coordination between people, processes, and technologies is required to build a strong, capable and successful SOC. People – SOC needs highly trained employees who
Read more