Introduction to SIEM

October 18, 2016 | Views: 14979

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi Readers,

We’ll see a brief introduction about Security Information and Event Management (SIEM).

What is a SIEM?

SIEM is a tool that helps us to monitor our network traffic and provide real-time analysis of security alerts produced by the applications. SIEM is also a log management tool that gathers logs from different applications like workstation, firewall, servers etc..,

Why do we need a SIEM? 

Case 1 : Imagine a scenario, an attack happened on our website a few weeks back. We realized that a security breach had occurred, but we need to do forensic analysis on what data was breached/ compromised during that attack. Hence, we need to track the activities during that particular week. In that case, SIEM can be helpful. For example

  • To find the IP Address of the attacker based on the different anomalies.
  • List of files accessed/downloaded by that particular IP address.
  • Have the files been transferred to the outside world from that IP address etc..,

Case 2 : We receive multiple scripted attack /DOS against our web server, in that case, we can set a rule ( based on the attack signature)  in the SIEM to block further attacks . It can also be seen as an alert in SIEM dashboard.

SIEM 1.png
How SIEM works:
Applications generate logs for every event that occurs. For example, if your system gets shut down due to any s/w installation, it will be shown in our Syslog. If your firewall is experiencing some security alerts, it will generate a log. Similarly, all applications will generate logs for every event that occurs. We need to push those logs generated in each application to the centralized SIEM as shown in the image. We can install collectors in different applications that need to be monitored. We can configure those collectors to push those logs from the applications to the SIEM tool. Raw logs are not cool. We need a tool that can analyze the raw log and display only the required information.
 
SIEM 2.jpg
SIEM collecting logs from different applications and managing it as a centralized log store.
Usually, the log’s size will be based on the company’s network traffic rate. Hence, Big Data analytics also plays a vital role in SIEM. Please refer my previous post for some introduction concepts on Big data – Link
In a nutshell, SIEM collects all the logs from different applications (log sources), and play around with those logs as per the instructions provided by the SIEM users. Some of the commonly used SIEM tools are listed below.
  • Splunk
  • Sumo logic
  • Eventlog analyzer
  • HP ArcSight etc.,

This post is just a heads up to the concept of SIEM. In the upcoming post, we’ll see SIEM in action with an example tool.

Please note that the concept of SIEM can be best understood only with an example. In the upcoming post, we’ll see SIEM in action. Let me know if you have any suggestions.

Thanks and Regards,

Vinoth Kumar

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
16 Comments
  1. Nicely explained

  2. Thank you for this brief about SIEM
    but i would like to SIEM tools that i believe LogRhythm will be better and a top in these tools
    1-LogRhythm
    2-Splunk
    3-Sumo logic
    4-Eventlog analyzer
    5-HP ArcSight etc.,

  3. I am trying to gain a good firm knowledge on any SIEM to add into my CV, des any one have full tutorial. I know different company uses diefferent types, i just want to know one such as logrythm, arcsight, etc

    thanks

  4. Great article

  5. Nice introduction article!

    For anyone who is maybe wondering, SIEM stands for “Security Information Event Management”.
    Some other common and less common SIEM tools are AlienVault’s OSSIM, QRadar (IBM), SolarWinds and Trustwave both have a SIEM product, and the EMC RSA Security Analytics product.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel