The ubiquitous presence of technology on all facets of daily life requires trust in all transactions in any area of our modern society. Imaging the military software delivery weapons auto defense systems failing, the critical infrastructure control systems such as energy and water going down, during a doctor's visit being diagnose with the wrong illness due to a hacked Electronic Health Record database, or when checking your bank online transaction finding that all your money was taken. SIEM helps defends our dependency on technology from internal or external treats creating trust assurance during the cybersecurity continuous process.
Security Information and Event Management (SIEM) is an extraordinary cybersecurity asset tool set for any organization. SIEM gives insight to activities within the IT Enterprise while maintaining accountability tracking record for internal and external interactions. The technology combines Security Information Management, which collects and process analysis log and event data, with Security Event Management that provides real-time threat analysis and threat response-security operations. The SIEM tools evolved from log management solutions that kept data repositories store with not much actionable intelligence prevention processing, to the SIEM used today in Security Operating Centers (SOC) designated to protect the information systems assets of different types of organizations.
SIEM systems collects data log information from the different organizational infrastructure areas such as data sources, security solutions, platforms interfaces, networks, appliances, end users, and interactions with the outside Internet world. The main cybersecurity features provided by a SIEM solutions include collection, storing, and analysis to provide reports on security as well as traffic event related incidents. Records successful and failed logins, user application resource access, device endpoint network connections, malware activity, and keep track of predetermine benchmark normal operational traffic while identifying any possible variations that might need incident security response to protect the organization.
All vendors will pitch the differentiation marketing speech, but all SIEMs capture some kind of action within the enterprise network, store the logs, take action blocking, and notification action base on predefined policies to protect the organization.
The big SIEM differentiator today is the interweaving of the collection of log capacity with big data such as performs by the latest SIEM open source new kid on the block, Metron Apache, which by default works with the Hadoop big data framework. Metron is being delivered into the biggest governmental and private enterprises due to its big data Hadoop capacity to engineer actionable cybersecurity intelligence to protect the organizations. Metron evolved into an open source project from the Cisco’s Open SOC platform and has the ability to tie multiple open source solutions together into one centralized platform. For example, mature cyber security tools such as the Security Onion network security monitoring and the Kali Linux suits can be added via modules to Metron Hadoop big data intake and the collected IT traffic presented in one centralized platform.
SolarWinds SEM is service delivered in many small to large organizations who want to exploit the Windows event logs to actively manage the business IT Network infrastructure against future treats. This SIEM has a very user-friendly dashboard and the company provides a 24/7 support. The operating system for these SIEM solutions is Windows and takes advantage of the great quantity of logging information done by systems running Windows.
Alien Vault OSSIM is another open source SIEM with outstanding core capacities including threat intelligence, asset discovery, SIEM log management, end point protection, security response automation, and vulnerability assessment. AlienVault recently was acquired by AT&T, adding huge capabilities to the treat behavioral collection network security monitoring within the SIEM Solution. AlienVault OSSIM is a matured SIEM solution and is used by large enterprises needing to ensure compliance with frameworks such as FISMA, GLBA, ISO 27001, PCI DSS, HIPAA, GDPR, and SOC 2.
Assurance provided by the proper use of SIEM includes defend against malicious actions or compromise of IT, ensuring IT policies are adhered too, significantly automating the collection of logged data, ensuring compliance with laws, an overall protecting the personnel and organizational assets while ensuring value added wealth creation activities are properly perform.
SIEM technology helps removed inefficiencies via automation and minimize losses due to compliance penalties, unnecessary infrastructure expansions without data analysis, and even systems outages, since SIEMs display in real time actionable overview of data flows and event logs captured across all enterprise nodes.
SIEM as cyber security technological tools when properly manage is a big asset to any organization. Problems can arrive when IT personnel is not properly train to response to identified alarms delivered by the SIEM. The old GIGO (garbage in garbage out) geek said is applicable with any SIEM implementation and the organization must ensure that while using such tool the personnel delivering these services are properly train and keep up today on continuous basis. The return of investment of implementing a SIEM due to data collection, processing rationalization, and summary deliver of possible actions make a necessary tool to be part of any daily operations within any company.
My prefer recommended SIEM implementation is the Apache Metron SIEM, since it utilizes the Hadoop big data framework providing big data analysis for decision-making. Additionally, adding data feeds from other tools such as Kali Linux, PfSENSE, Security Onion, and SANS DFIR to the big data engine generates actionable data in one single screen summary location.
SIEM (Security Information and Event Management)