Introduction to SIEM
We’ll see a brief introduction about Security Information and Event Management (SIEM).What is a SIEM?SIEM is a tool that helps us to monitor our network traffic and provide real-time analysis of security alerts produced by the applications. SIEM is also a log management tool that gathers logs from different applications like workstation, firewall, servers etc..,Why do we need a SIEM? Case 1 : Imagine a scenario, an attack happened on our website a few weeks back. We realized that a security breach had occurred, but we need to do forensic analysis on what data was breached/ compromised during that attack. Hence, we need to track the activities during that particular week. In that case, SIEM can be helpful. For example
- To find the IP Address of the attacker based on the different anomalies.
- List of files accessed/downloaded by that particular IP address.
- Have the files been transferred to the outside world from that IP address etc..,
Case 2 : We receive multiple scripted attack /DOS against our web server, in that case, we can set a rule ( based on the attack signature) in the SIEM to block further attacks . It can also be seen as an alert in SIEM dashboard.
|SIEM collecting logs from different applications and managing it as a centralized log store.|
- Sumo logic
- Eventlog analyzer
- HP ArcSight etc.,
This post is just a heads up to the concept of SIEM. In the upcoming post, we’ll see SIEM in action with an example tool.
Please note that the concept of SIEM can be best understood only with an example. In the upcoming post, we'll see SIEM in action. Let me know if you have any suggestions.
Thanks and Regards,
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!