NEED OF SIEM TOOL FOR ORGINIZATION

 Threat Intelligence Best Practices for Your SIEM Integration - Davos Networks - We protect your data!


What is SIEM?

SIEM stands for Security, Information and Event Management and it's pronounced SIM, "E" is silent when pronouncing. The main purpose of SIEM is, it is a system that collects log files, security alerts and events into one place. So security teams can more easily analyze data. An in another way you can think of a SIEM as a log management system specialized for security.

How does SIEM work?

SIEM collects all the information from other security systems like endpoint security, endpoint security, firewalls, intrusion detection systems. The logs and alerts from these systems needed to be stored centrally. So that analysts didn't have to go to each individual security product to conduct the investigations.

Download Whitepaper - Security Information and Event Management (SIEM)
Above image shows the tasks done from SIEM tool. SIEM offer powerful log search features, the ability to trigger alerts using rules and reports that organizations can provide to auditors to demonstrate compliance with various regulations. The new SIEM is updated with the new two technologies.

  1.  UEBA
  2.  SOAR.

UEBA stands for User and Entity Behaviour Analytics. It is an analytical slayer that tracks normal and abnormal behaviour for users and entities, like databases, servers and devices. It helps analysts spot abnormal behaviours like logins from an unusual location or machines uploading large amounts of information for the first time. Basically, UEBA helps the analyst by showing malicious activity that they should show attention. 

SOAR stands for Security, Orchestration, Automation and Response. SOAR automates what security analysts need to do to respond to security incidents. Before SOAR, analysts need to pay attention to the security incident. But because of SOAR, that task is also eliminating. As an example let's say there is a malware found on a laptop. The analyst would normally go to the Endpoint security system and quarantine the computer. Then maybe search for the source of the malware in an IDS (Intrusion Detection System)  or an IPS (Intrusion Prevention System) to make sure no one else is affected. But with the new feature SOAR, the analyst can automate the quarantine action from the SIEM. They do not need to log into the endpoint security system.  with UEBA, the system automatically detect that the malware came from a phishing link is an email. So now, the analyst wants to block that link in other emails.

SOC and SIEM

For the Security Operation Center (SOC), you can still use the SIEM. To demonstrate compliance with regulations like SOX, HIPPA and GDPR. But a more advanced use would be zero-day detection where unusual behaviour would help detect something. Some organization use SIEM for insider threat detection or threat hunting. This is a proactive search for unusual activities inside an organization. Actually, SIEM help to automate the SOC from detection through investigation and response. Many SOCs are looking to automate to make their operations more efficient and reduce their overall risk.

No matter how much large, your organization is. It is necessary to have SIEM for your organization from unknown attackers. It will help to catch malicious activities which can damage your whole business.


References:

  • https://www.youtube.com/watch?v=IeN-wjHetfA&feature=emb_logo
  • https://digitalguardian.com/blog/what-security-operations-center-soc
  • https://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM#:~:text=A%20SIEM%20system%20also%20enhances,prevent%20the%20attacks%20in%20progress.
  • https://www.csoonline.com/article/2124604/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html
  • https://digitalguardian.com/blog/what-user-and-entity-behavior-analytics-definition-ueba-benefits-how-it-works-and-more#:~:text=User%20and%20entity%20behavior%20analytics%2C%20or%20UEBA%2C%20is%20a%20type,the%20normal%20conduct%20of%20users.&text=In%20UEBA%2C%20you%20do%20not,and%20entities%20in%20your%20system.
  • https://www.fireeye.com/products/helix/what-is-soar.html#:~:text=The%20benefits%20of%20SOAR,response%20and%20security%20operations%20automation.
  • https://www.youtube.com/watch?v=GbFtSDnPZBQ



Comments

  1. Prabod_DunuwilaDecember 3, 2020 at 6:21 AM

    Good article. Can you suggest some popular SIEM tools used in the industry?

    ReplyDelete
    Replies
    1. Rajitha GamageDecember 8, 2020 at 9:05 PM

      Appreciate your comment, SolarWinds Security event manger, DataDog security monitoring, Manage engine event Log analyzer, SPLUNK Enterprise security, and OSSEC are the top 5 SIEM tools in 2020.

      Delete
    2. Ruvy RathnayakeDecember 9, 2020 at 8:25 PM

      Nice flow Rajitha. But I'm wondering are the factors we should consider when acquiring a good SIEM tool to an organization and approximately how much will it cost?

      Delete
    3. Rajitha GamageDecember 10, 2020 at 8:02 PM

      This comment has been removed by the author.

      Delete
    4. Rajitha GamageDecember 10, 2020 at 8:05 PM

      The cost can be divided into following several parts Ruvishka.

      Hardware - SIEM appliance costs or server costs for installation of SIEM software
      Software - Costs of SIEM software or agents for data collection
      Support = Annual costs of maintenance of software and appliance
      Professional Services - Professional services for installation and ongoing tuning
      Intelligence Feeds - Threat intelligence feeds that provide information on adversaries
      Personnel - Cost of personnel to manage and monitor a SIEM implementation
      Personnel Annual Training - Cost of training the personnel annually on security certifications or other security-related training courses

      cost for SIEM tool is very high.

      Delete
  2. KaweeDecember 6, 2020 at 9:04 PM

    Nicely written!

    ReplyDelete
    Replies
    1. Rajitha GamageDecember 8, 2020 at 9:05 PM

      Really appreciate your comments, It's motivate me to write more articles.

      Delete
  3. Dilesha PereraDecember 8, 2020 at 11:12 PM

    Informative article Rajitha.Can you explain about important facts to consider when choosing a commercial SIEM tool for an organization?

    ReplyDelete
    Replies
    1. Rajitha GamageDecember 9, 2020 at 12:27 AM

      Thank you Dilesha, when selectin SIEM for an organization we should check whether following details are included.

      Threat Intelligence and Analytics Capabilities.
      Ability to Manage Logs.
      Correlate Security Incidents.
      Timeliness.
      Reporting.
      Forensics Capabilities.
      Going for a POC.
      The Ability to Ingest and Process Network Logs.

      Delete
  4. Santhoopa JayawardhanaDecember 10, 2020 at 6:12 AM

    SIEM is an integral component in the modern Cyber Security Operations Centers. An informative article which covers broad aspects of SIEM.

    ReplyDelete
  5. Anuththiga ThurairasasingamDecember 11, 2020 at 2:17 AM

    Educative post Rajitha. Keep up the good work....

    ReplyDelete

Post a Comment

Popular posts from this blog

REVOLUTION TO 5G

Image
  What is "G"  That 1 G, 2G, 3G,4G and 5G are different generations of mobile networks, 1980 to 2020. "G" convey the meaning of the generation. As shown in the above image, every decade, a new generation was introduced with a specific set of standards with each generation. Especially the speed of those networks is increased. Journey From 1G to 5G 1G 1G was the first generation and it was the wireless telephone technology introduced in 1980 and completed in early 1990. Its speed was up to 2.4kbps. It allows the voice call in only one country. 1G network was using only analogue signals. what do you believe that compared to today's world and in 1G technology?. Amps were first launched in the USA in 1G mobile. Although 1G was the biggest revolution of its time. But in 1G there were a lot of drawbacks such as poor voice quality, the poor battery life, no security anybody can hake your limited capacity and poor handoff reliability. Because of that world move to the 2G...
Read more

SOCIAL ENGINEERING

Image
What is Social Engineering? Social engineering is that the term used for a broad vary of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into creating security mistakes or giving freely sensitive data. Social Engineering techniques Social engineering may happen in different forms anywhere where human interaction is involved. There are five most common forms of digital social engineering techniques. Baiting Scareware Pretexting Phishing Spear Phishing Baiting The way attackers do suits with English mean of the baiting. Actually, in Baiting, attackers find something the victim greed or curiosity. After making a friendship with the victim, trap the victim and steal their personal information or inflicts their systems with malware. The most reviled form of baiting uses physical media such as an infected flash drive.  But through online also attackers may attack using baiting. In this way, attackers might use some advertise...
Read more