System Information and Event Management (SIEM)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> The System Information and Event Management tool SIEM,
00:00
is one of those critical security monitoring tools
00:00
for Cloud environments.
00:00
In this lesson, we're going to go over
00:00
the role of the SIEM in Cloud security,
00:00
describe the strengths of
00:00
monitoring and incident response provided by the SIEM,
00:00
and then also talk about some of
00:00
the pitfalls/challenges
00:00
for implementing and monitoring a SIEM.
00:00
The SIEM. This really is
00:00
the centralized point for
00:00
logging within your Cloud environment.
00:00
It gathers all the data that's
00:00
related to the capabilities of your Cloud environment,
00:00
your network, all the
00:00
devices that they're reporting back,
00:00
all the logs related to both performance and access.
00:00
It could also potentially
00:00
provide information related to policy violations,
00:00
misconfigurations in the operating systems,
00:00
databases, the applications themselves
00:00
and it detects internal threats.
00:00
But unless you really have
00:00
appropriate asset management to
00:00
understand what needs to be monitored,
00:00
what are its baselines for logging activities,
00:00
it can be difficult to really get as
00:00
much value out of the SIEM as possible.
00:00
That why the things we've talked about in the past such
00:00
as the business impact analysis
00:00
and system baselining are really critical
00:00
for a system to function properly.
00:00
Only when the analysts or administrator,
00:00
whoever is looking at the SIEM,
00:00
knows what are the most important things to look at and
00:00
consider can it be used effectively to diagnose issues?
00:00
Understanding that baseline also enhances
00:00
the amount of analysis when looking at the
00:00
same or considering things like
00:00
anomalous login from IP addresses or geographic ranges
00:00
that are outside of
00:00
our known business case or
00:00
the location where our employees are working from.
00:00
One of the other important things is understanding
00:00
the business needs and the appropriate log volume
00:00
and information is very important for
00:00
optimizing the alerts that
00:00
can be configured using the SIEM solution.
00:00
It's very important to configure alerts
00:00
properly because there's so much information
00:00
especially if you're in a multi-Cloud environment or
00:00
a various different applications out there that you
00:00
understand what are the most important things
00:00
that you're looking for regarding
00:00
strange login patterns or as I said before,
00:00
different geographic locations or
00:00
activity that might constitute an attack,
00:00
particularly high volumes or
00:00
external traffic that could be
00:00
damaging a denial-of-service attack in progress.
00:00
Understanding your environment,
00:00
understanding what's normal and what's not
00:00
is really critical for creating
00:00
effective alerts that come out of the SIEM to focus
00:00
your attention and flag
00:00
all incidents early so
00:00
that the incident response process can be
00:00
initiated to mitigate any harm
00:00
to your Cloud-based environment.
00:00
One of the other advantages of the SIEM is
00:00
that with all of this aggregation of data,
00:00
you can really do effective dashboards
00:00
and visualizations to synthesize
00:00
the information and provide
00:00
actual insights regarding what's going on.
00:00
Quiz question, which of the following is the most
00:00
important for effective SIEM operations?
00:00
Is it Asset Management,
00:00
Alert optimization or Incident response?
00:00
Although you might think it's alert optimization,
00:00
that is critical to understand
00:00
the baseline of your network of the logs
00:00
and create appropriate alerts
00:00
related to anomalies without Asset Management,
00:00
without really clearly understanding
00:00
the importance of as well as what's out
00:00
there and needs to be monitored and configuring it
00:00
appropriately so that those logs are going to use SIEM,
00:00
you really won't have the visibility necessary to
00:00
identify security issues in your Cloud environments.
00:00
Then incident response is critical
00:00
after a incident has been identified.
00:00
It can't necessarily be known to be kicked off at
00:00
the right time unless
00:00
proper asset monitoring is in place within the same.
00:00
In summary, we've talked about the importance of SIEM.
00:00
It really provides visibility into
00:00
the Cloud-based environment and
00:00
then also we've talked about
00:00
the benefits of SIEM solution.
00:00
We got one, monitoring,
00:00
advanced analytics, proper alerting.
00:00
It also facilitates the improvement of
00:00
performance potentially
00:00
if unusual log volumes are noticed.
00:00
It also facilitates incident response if
00:00
unusual behavior or anomalous activities
00:00
detect it and needs to be addressed.
00:00
Some of the challenges we've talked about,
00:00
that was related to making sure
00:00
that all the assets that need to be
00:00
monitored properly in the SIEM and that whoever is
00:00
doing the monitoring has
00:00
appropriate understanding of
00:00
the system baselines and what
00:00
constitutes abnormal behavior and
00:00
what should be investigated.
00:00
All right, see you in the next lesson.
Up Next