SIEM

¡Supera tus tareas y exámenes ahora con Quizwiz!

soc Automation

Integrates with other security solutions using APIs, and lets security staff define automated playbooks and workflows that should be executed in response to specific incidents

Network Time Protocol (NTP)

Protocol that gives the current time.; systems subscribe to it to make syslog make more sense.

Incident Response

Provides case management, collaboration and knowledge sharing around security incidents, allowing security teams to quickly synchronize on the essential data and respond to a threat

Log Management

SIEM typically provides log storage, organization, retrieval and archival services to satisfy the log management that business require

SIEM

Security Information and Event Management

Goals of a security program/security team

Protect CIA - confidentiality, integrity and availability.

SIEM Use Cases

-detect zero-days or polymorphic code -automate Parsing, log normalization and categorization -Visualization -using pattern detection, alerting, baseline and dashboards to detect security issue -detect malicious communications detecting cyberwarfare

What are SIEMs used for?

1. Security Monitoring, advanced threat detection, 3. Forensics and Incident Response, compliance auditing and reporting

Threat Hunting

Allows security staff to run queries on SIEM data, filter and pivot the data, to proactively uncover threats or vulnerabilities

Alerting

Analyses events and sends out alerts to notify security staff of immediate issues, either by email, other types of messaging, or via security dashboards

Compliance

Automates the gathering of compliance data, producing reports that adapt to security, governance and auditing processes for standards like HIPAA, PCI/DSS, HITECH, SOX and GDPR

Losses

Automation of monitoring, alerting, analysis, correlation, and reporting functions.(more work done in less time), Identify and correct non compliant systems and processes (helps avoid compliance related fines) Reduce the organizations attack surface - reducing the likelihood of a security breach drastically.

ROI

By providing a more complete vision of IT ops/security/protection of valuable information assets within the organization, having a SIEM, provides fewer 'losses' Loss avoidance in terms on compliance (fines, etc)

Manufacturing/Production (CIA Importance)

C-High I-Low A-Medium

Banking (CIA Importance)

C-High I-Medium A-Low

Retail (CIA importance)

C-Medium I-Low A-High

Threat Intelligence Feeds

Combines internal data with threat intelligence feeds containing data on vulnerabilities, threat actors and attack patterns

Dashboards/reporting

Creates visualizations to allow staff to review event data, see patterns and identify activity that does not conform to standard patterns

Capabilities/components

Data aggregation, Threat intelligence feeds, correlating, Analytics, alerting, dashboards, retention, compliance, Retention, threat hunting and Incident Response, SOC Automation

How SIEM Works

Data collection, data storage, policies and rules, data consolidation and correlation

Correlation

Links events and related data into meaningful bundles which represent a real security incident, threat, vulnerability or forensic findings

How can SIEM help with Compliance?

Log management and archival (event collection) system maintenance and monitoring validation of monitoring incident detection proof of all the above

SIEM services (5)

Log management, IT regulatory Compliance, Event Correlation, Active Response, Endpoint Security.

Retention

Stores long-term historical data to enable analysis, tracking, and data for compliance requirements. Especially important in forensic investigations, which happen after the fact

Log

System and application events

IT Regulatory Compliance

Taking events that have been logged and building filters or rules based on those logs to audit

Event Correlation

The analysis of multievent patterns - teaches the system to consider various conditions before triggering an alarm.

Analytics

Uses statistical models and machine learning to identify deeper relationships between data elements, and anomalies compared to known trends, and tie them to security concerns

Endpoint Security

Validate the security 'health' of s system.

Endpoint Security examples

Whether the firewall is running on the PC, if AV definitions were updated, when devices become infected

Active Response

a response generated in real time (automated)

syslog

a service that records log events in common format

Data aggregation

bundles data from network, security, servers, databases, applications, and other security systems like firewalls, anti-virus and Intrusion Detection Systems (IDS)

Nodes/Devices SIEM collects logs from

computers on various OS, network infrastructure systems - such as routers, switches, firewalls, proxy servers, IDS, remote access systems, and other network devices

Rules that get checked against the logs (examples)

frequency of password changes, identifying OS, frequency of AV, antispyware, IDS Updates

Audit

monitor against a standard

SIEM Focus

provides real-time analysis of security alerts generated by network hardware and applications


Conjuntos de estudio relacionados

Musculoskeletal Disorders (Exam 3)

View Set

Mod 1-Week 3 -Chapter 26. The Medical Record, Documentation, and Filing

View Set

(Pharm) Gastrointestinal 2 {TERM 3}

View Set

Chp. 15 Disorders of Motor Function

View Set

Chapter 23, Nursing Management: Integumentary Problems: Integ. Problems

View Set