Scribd Logo
Upload

Welcome to Scribd!

  • Higher Diploma in Cybersecurity Risk & Compliance

    Uploaded by

    Daniel Leary
    6 views8 pages
    SIEM tools collect log and event data from systems and security devices. They analyze the data to identify anomalies and security threats, such as brute force login attempts. SIEM software generates alerts when potential issues are found. It provides benefits like shortening threat detection time, giving a holistic security view, and supporting forensic analysis during breaches. However, SIEM tools also have drawbacks like high implementation costs, needing expert configuration, and producing many irrelevant alerts.

    Original Description:

    Original Title

    Week#2-Intro

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SIEM tools collect log and event data from systems and security devices. They analyze the data to identify anomalies and security threats, such as brute force login attempts. SIEM software generates alerts when potential issues are found. It provides benefits like shortening threat detection time, giving a holistic security view, and supporting forensic analysis during breaches. However, SIEM tools also have drawbacks like high implementation costs, needing expert configuration, and producing many irrelevant alerts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views8 pages

    Higher Diploma in Cybersecurity Risk & Compliance

    Uploaded by

    Daniel Leary
    SIEM tools collect log and event data from systems and security devices. They analyze the data to identify anomalies and security threats, such as brute force login attempts. SIEM software generates alerts when potential issues are found. It provides benefits like shortening threat detection time, giving a holistic security view, and supporting forensic analysis during breaches. However, SIEM tools also have drawbacks like high implementation costs, needing expert configuration, and producing many irrelevant alerts.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    SIEM

    Higher Diploma in Cybersecurity Risk & Compliance


    SIEM: Secure Information and Event Management
    • Collect Data, Identify Anomalies & Patterns, Do Something
    • SIEM is all about Inputs and Outputs
    Example:

    • SIEM tools gather event and log data created by host systems, applications and security devices, such as
    antivirus filters and firewalls, throughout a company's infrastructure and bringing that data together on a
    centralized platform.

    • The SIEM tools identify and sort the data into such categories as successful and failed logins, malware activity
    and other likely malicious activity.

    • The SIEM software then generates security alerts when it identifies potential security issues.

    • A user account that generates 25 failed login attempts in 25 minutes could be flagged as suspicious but were
    probably made by the user who had probably forgotten his login information.

    • A user account that generates 130 failed login attempts in five minutes would be flagged as a high-priority event
    because it's most likely a brute-force attack in progress.
    Benefits of SIEM
    • Shortens the time it takes to identify threats significantly, minimizing the damage from
    those threats

    • Offers a holistic view of an organization's information security environment, making it


    easier to gather and analyze security information to keep systems safe -- all of an
    organization's data goes into a centralized repository where it is stored and easily
    accessible

    • Can be used by companies for a variety of use cases that revolve around data or logs,
    including security programs, audit and compliance reporting, help desk and network
    troubleshooting

    • Supports large amounts of data so organizations can continue to scale out and increase
    their data

    • Provides threat detection and security alerts

    • Can perform detailed forensic analysis in the event of major security breaches.
    Great, Lets do it !!!!
    Usually, it takes a long time to implement because it requires support to ensure successful integration with an
    organization's security controls and the many hosts in its infrastructure. It typically takes 90 days or longer to
    install SIEM before it starts to work.

    It's expensive. The initial investment in SIEM can be in the hundreds of thousands of dollars. And the associated
    costs can also add up, including the costs of personnel to manage and monitor a SIEM implementation, annual
    support, and software or agents to collect data.

    Analysing, configuring and integrating reports require the talent of experts. That's why some SIEM systems are
    managed directly within a security operations centre (SOC), a centralized unit staffed by an information
    security team that deals with an organization's security issues.

    SIEM tools usually depend on rules to analyse all the recorded data. The problem is that a company's network
    generates a large number of alerts -- usually, 10,000 per day -- which may or may not be positive. Consequently,
    it's difficult to identify potential attacks because of the number of irrelevant logs.

    A misconfigured SIEM tool may miss important security events, making information risk management less
    effective.
    SIEM: Secure Information and Event Management
    • Risk Assessment (RA), Risk Management (RM)
    Risk management is the process of identifying, assessing and
    controlling threats to an organization's capital and earnings. These
    threats, or risks, could stem from a wide variety of sources,
    including financial uncertainty, legal liabilities, strategic
    management errors, accidents and natural disasters.
    IT security threats and data-related risks, and the risk management
    strategies to alleviate them, have become a top priority
    for digitized companies.
    SIEM: Secure Information and Event Management

    • Threat Intelligence is organized, analysed and refined information about


    potential or current attacks that threaten an organization. The primary purpose
    of threat intelligence is helping organizations understand the risks of the most
    common and severe external threats, such as zero-day threats, advanced
    persistent threats (APTs) and exploits
    • Threat Management (TM) Incident response is an organized approach to
    addressing and managing the aftermath of a security breach or cyberattack, also
    known as an IT incident, computer incident or security incident. The goal is to
    handle the situation in a way that limits damage and reduces recovery time and
    costs.
    SIEM: Inputs and Outputs

    SIEM System
    Compliance

    Aggregation
    Correlation
    Threats
    Threat Actors Incident
    APT
    Inputs Outputs Response
    Data
    Analytics

    Data Sources Machine


    Logs, EP/Host Learning Reports,
    Edge Alerts,
    Zero-Day

    Threat Threat
    Management Management
    SIEM: Secure Information and Event Management

    • Sources of data
    • Threat types
    • IDR

    • Frameworks
    S Nov/Dec
    I
    E Jan • Log sources
    M • Honeypots
    Feb • HIDS, IDS, SASE
    S
    y Mar
    s • Threat Management
    t
    Apr • Incident Response
    e
    m
    s May • Output & Reports, Alerts
    • Compliance

    • Data Aggregation
    • Machine Learning

    You might also like