Skip to main content

5 unique reasons why SIEM more important-Cyber Security


WHAT IS SIEM?

Security information and event management (SIEM) is an approach to Cybersecurity management that combines SIM (security information management) and SEM (security event management) functions into one security management system.

The term security information event management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005,
  • the product capabilities of gathering, analyzing and presenting information from network and security devices
  • identity and access-management applications
  • vulnerability management and policy-compliance tools
  • operating-system, database and application logs
  • external threat data

A key focus is to monitor and help manage user and service privileges, directory services and other[clarification needed] system-configuration changes; as well as providing log auditing and review and incident response.

WHY WE NEED?


IT environments are growing ever more distributed, complex and difficult to manage, making the role of security information and event management (SIEM) technology more important than ever. Here's why.

Compliance 

Almost every business is bound by some sort of regulation, such as PCI-DSS, HIPAA and Sarbanes-Oxley (SOX). Attaining and maintaining compliance with these regulations is a daunting task. SIEM technologies can address compliance requirements both directly and indirectly.

Operations support

 The size and complexity of today's enterprises is growing exponentially, along with the number of IT personnel to support them. Operations are often split among different groups such as the Network Operations Center (NOC), the Security Operations Center (SOC), the server team, desktop team, etc., each with their own tools to monitor and respond to events. This makes information sharing and collaboration difficult when problems occur. A SIEM can pull data from disparate systems into a single pane of glass, allowing for efficient cross-team collaboration in extremely large enterprises.

Zero-day threat detection

 New attack vectors and vulnerabilities are discovered every day. Firewalls, IDS/IPS, and AV solutions all look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks. A SIEM can detect activity associated with an attack rather than the attack itself. For instance, a well-crafted spear-phishing attack using a zero-day exploit has a high likelihood of making it through spam filters, firewalls and antivirus software, and being opened by a target user.

A SIEM can be configured to detect activity surrounding such an attack. For example, a PDF exploit generally causes the Adobe Reader process to crash. Shortly thereafter, a new process will launch that either listens for an incoming network connection or initiates an outbound connection to the attacker. Many SIEMs offer enhanced endpoint monitoring capabilities that keep track of processes starting and stopping and network connections opening and closing. By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads. While IDS/IPS and AV do what they do well, a SIEM provides a safety net that can catch malicious activities that slip through traditional defenses.

Advanced persistent threats 

APTs have been in the news a lot, with many experts claiming they were responsible for the high-profile breaches at RSA, Lockheed Martin, and others. An APT is generally defined as a sophisticated attack that targets a specific piece of data or infrastructure, using a combination of attack vectors and methods, simple or advanced, to elude detection. In response, many organizations have implemented a defense in depth strategy around their critical assets using firewalls and IDS/IPS at the perimeter, two-factor authentication, internal firewalls, network segmentation, HIDS, AV, etc.

All of these devices generate a huge amount of data, which is difficult to monitor. A security team cannot realistically have eight dashboards open and correlate events among several components fast enough to keep up with the packets traversing the network. SIEM technologies bring all of these controls together into a single engine, capable of continuous real-time monitoring and correlation across the breadth and depth of the enterprise.


Forensics

 A forensic investigation can be a long, drawn-out process. Not only must a forensics analyst interpret log data to determine what actually happened, the analyst must preserve the data in a way that makes it admissible in a court of law. By storing and protecting historical logs, and providing tools to quickly navigate and correlate the data, SIEM technologies allow for rapid, thorough and court-admissible forensics investigations.


Source: Networkworld and Wiki


Labels:

Comments

Post a Comment

Popular posts from this blog

My Life as Information security engineer Chapter 1: Tools

  Hi folks, here I am going to share the tools list that I am using in my daily life cycle. NMAP  Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Basically, I will use it to discover the open ports and closed ports where I did Port Mapping in firewalls. We can use this in the local network as well as in the WAN network. Also with help of the NSE script, we do multiple things like vulnerability check, exploitation, etc., Ref: http://www.piratesshield.com/2017/11/nmap-network-mapper-securtiy-scanner.html CURL and WGET curl   is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). Normally using this tool to analyze the website headers when my web security device blocking some dynamic content websites and to create the Application signature in IPS. Wget   using to download files directly instead of opening and surfing the brow
Post a Comment
Read more

AquaSec Container Security Solution ( DevSecOps ) - A quickView

  What is AquaSec?      The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure, and secure running workloads wherever they are deployed.    Solutions : Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Aquasec offers a 14days trial to learn the container security / Automated DevSecOps. Use this link to get free trail  Sign In | Aqua (aquasec.com)   How to start with AquaSec? Once login into the portal click the nine dots in the left-side top > Aqua Hub  Then click the "Integrations" The Integration page has a lot of options to connect your container Platform Choosing your platform provides the required key to integrate. (follow the OEM documents ) The
Post a Comment
Read more

What is IP Obfuscation ? How it's working ? how to use Cuteit tool ?

  What is IP  Obfuscation?     Which is a method to hide or convert a doted format IP address  (e.g. 192.168.192.2)   into an Integer or Hexadecimal value or Octal form by using some mathematical formula. It’s a kind of method to spoof the human eyes and web security services. dot format to Decimal Conversion   piratesshield.com 👉  [172.67.129.3] to translate (172 x256 3 )+(67×256 2 )+(129×256 1 )+(3×256 0 ) =  2890105091 Now you can use  https://2890105091  to access piratesshield.com This is one of the ways to do IP  Obfuscation.  The tool  ‘ Cuteit ‘ is  A simple python tool to help you to social engineer, bypass whitelisting firewalls, potentially break regex rules for command-line logging looking for IP addresses and obfuscate cleartext strings to C2 locations within the payload. HOW TO USE CUTEIT ? Download & Install Cuteit from the below link git :   git clone https://github.com/D4Vinci/Cuteit.git Direct link: https://github.com/D4Vinci/Cuteit/archive/master.zip usage: Cu
Post a Comment
Read more