SIEM
soc Automation
Integrates with other security solutions using APIs, and lets security staff define automated playbooks and workflows that should be executed in response to specific incidents
Network Time Protocol (NTP)
Protocol that gives the current time.; systems subscribe to it to make syslog make more sense.
Incident Response
Provides case management, collaboration and knowledge sharing around security incidents, allowing security teams to quickly synchronize on the essential data and respond to a threat
Log Management
SIEM typically provides log storage, organization, retrieval and archival services to satisfy the log management that business require
SIEM
Security Information and Event Management
Goals of a security program/security team
Protect CIA - confidentiality, integrity and availability.
SIEM Use Cases
-detect zero-days or polymorphic code -automate Parsing, log normalization and categorization -Visualization -using pattern detection, alerting, baseline and dashboards to detect security issue -detect malicious communications detecting cyberwarfare
What are SIEMs used for?
1. Security Monitoring, advanced threat detection, 3. Forensics and Incident Response, compliance auditing and reporting
Threat Hunting
Allows security staff to run queries on SIEM data, filter and pivot the data, to proactively uncover threats or vulnerabilities
Alerting
Analyses events and sends out alerts to notify security staff of immediate issues, either by email, other types of messaging, or via security dashboards
Compliance
Automates the gathering of compliance data, producing reports that adapt to security, governance and auditing processes for standards like HIPAA, PCI/DSS, HITECH, SOX and GDPR
Losses
Automation of monitoring, alerting, analysis, correlation, and reporting functions.(more work done in less time), Identify and correct non compliant systems and processes (helps avoid compliance related fines) Reduce the organizations attack surface - reducing the likelihood of a security breach drastically.
ROI
By providing a more complete vision of IT ops/security/protection of valuable information assets within the organization, having a SIEM, provides fewer 'losses' Loss avoidance in terms on compliance (fines, etc)
Manufacturing/Production (CIA Importance)
C-High I-Low A-Medium
Banking (CIA Importance)
C-High I-Medium A-Low
Retail (CIA importance)
C-Medium I-Low A-High
Threat Intelligence Feeds
Combines internal data with threat intelligence feeds containing data on vulnerabilities, threat actors and attack patterns
Dashboards/reporting
Creates visualizations to allow staff to review event data, see patterns and identify activity that does not conform to standard patterns
Capabilities/components
Data aggregation, Threat intelligence feeds, correlating, Analytics, alerting, dashboards, retention, compliance, Retention, threat hunting and Incident Response, SOC Automation
How SIEM Works
Data collection, data storage, policies and rules, data consolidation and correlation
Correlation
Links events and related data into meaningful bundles which represent a real security incident, threat, vulnerability or forensic findings
How can SIEM help with Compliance?
Log management and archival (event collection) system maintenance and monitoring validation of monitoring incident detection proof of all the above
SIEM services (5)
Log management, IT regulatory Compliance, Event Correlation, Active Response, Endpoint Security.
Retention
Stores long-term historical data to enable analysis, tracking, and data for compliance requirements. Especially important in forensic investigations, which happen after the fact
Log
System and application events
IT Regulatory Compliance
Taking events that have been logged and building filters or rules based on those logs to audit
Event Correlation
The analysis of multievent patterns - teaches the system to consider various conditions before triggering an alarm.
Analytics
Uses statistical models and machine learning to identify deeper relationships between data elements, and anomalies compared to known trends, and tie them to security concerns
Endpoint Security
Validate the security 'health' of s system.
Endpoint Security examples
Whether the firewall is running on the PC, if AV definitions were updated, when devices become infected
Active Response
a response generated in real time (automated)
syslog
a service that records log events in common format
Data aggregation
bundles data from network, security, servers, databases, applications, and other security systems like firewalls, anti-virus and Intrusion Detection Systems (IDS)
Nodes/Devices SIEM collects logs from
computers on various OS, network infrastructure systems - such as routers, switches, firewalls, proxy servers, IDS, remote access systems, and other network devices
Rules that get checked against the logs (examples)
frequency of password changes, identifying OS, frequency of AV, antispyware, IDS Updates
Audit
monitor against a standard
SIEM Focus
provides real-time analysis of security alerts generated by network hardware and applications