Ready to Start Your Career?
October 18, 2016
Introduction to SIEM
October 18, 2016
We’ll see a brief introduction about Security Information and Event Management (SIEM).What is a SIEM?SIEM is a tool that helps us to monitor our network traffic and provide real-time analysis of security alerts produced by the applications. SIEM is also a log management tool that gathers logs from different applications like workstation, firewall, servers etc..,Why do we need a SIEM? Case 1 : Imagine a scenario, an attack happened on our website a few weeks back. We realized that a security breach had occurred, but we need to do forensic analysis on what data was breached/ compromised during that attack. Hence, we need to track the activities during that particular week. In that case, SIEM can be helpful. For example
- To find the IP Address of the attacker based on the different anomalies.
- List of files accessed/downloaded by that particular IP address.
- Have the files been transferred to the outside world from that IP address etc..,
Case 2 : We receive multiple scripted attack /DOS against our web server, in that case, we can set a rule ( based on the attack signature) in the SIEM to block further attacks . It can also be seen as an alert in SIEM dashboard.
How SIEM works:
Applications generate logs for every event that occurs. For example, if your system gets shut down due to any s/w installation, it will be shown in our Syslog. If your firewall is experiencing some security alerts, it will generate a log. Similarly, all applications will generate logs for every event that occurs. We need to push those logs generated in each application to the centralized SIEM as shown in the image. We can install collectors in different applications that need to be monitored. We can configure those collectors to push those logs from the applications to the SIEM tool. Raw logs are not cool. We need a tool that can analyze the raw log and display only the required information.
|SIEM collecting logs from different applications and managing it as a centralized log store.|
Usually, the log's size will be based on the company's network traffic rate. Hence, Big Data analytics also plays a vital role in SIEM. Please refer my previous post for some introduction concepts on Big data - Link
In a nutshell, SIEM collects all the logs from different applications (log sources), and play around with those logs as per the instructions provided by the SIEM users. Some of the commonly used SIEM tools are listed below.
- Sumo logic
- Eventlog analyzer
- HP ArcSight etc.,
This post is just a heads up to the concept of SIEM. In the upcoming post, we’ll see SIEM in action with an example tool.
Please note that the concept of SIEM can be best understood only with an example. In the upcoming post, we'll see SIEM in action. Let me know if you have any suggestions.
Thanks and Regards,