SIEM Deck - Blog

7/23/2019 SIEM Deck - Blog

1/12

Security Information &Event Management (SIEM)


2/12

Introducing SIEM

Security Information & Event Management (SIEM)

Security Event Management (SEM) Security information management (SIM)

SEM primarily provides:

Event Management Real-time Threat Analysis

Incident detection & Response

Basic Ticketing capabilities &

Security Operations

SIM primarily provides

Centralized Log Collection Long term Log Storage

Log Search & Reporting

Security Information & Event Management (SIEM) is an approach to security

management that seeks to provide a holistic view of an organizations information

technology (IT) security.

SIEM combines SIM(security information management) and SEM (security event

management) functions into one security management system.


3/12

Why SIEM?

Security Requirement:

Security Information & Event Management (SIEM) is the core of a

Defense in depth Strategy

Every Attacker leaves behind a trace Logs, Logs, Logs!!!

Security Events provide insight into: Whenthe Event happened? Attack timestamp

Whathappened? Was a Vuln exploited? Was a privilege misused?

Whyit happened? Assists Infrastructure gap identification & remediation

Compliance Requirement:

Policy, Standards, Regulations etc. require Security monitoring, alerting,

reporting & management. PCI, SOX, HIPAA, TRMG, ISO27K1 etc.


4/12

Anatomy of a Basic Attack

Attacker scans the perimeter defenses to find a hole in the network

Attacker bypasses the defenses and compromises the Web servers using a

Vulnerability exploit From the Web Server, the Attacker pivots to the DB server which holds

confidential data

Attacker installs malicious software which will open a backdoor for the attacker

to steal data


5/12

How do you detect this attack?

1. Firewalls Logs will have events for Recon, Scanning etc.

2. IDS/IPS logs will have exploit signatures triggering (both behavior & anomaly)

3. Web/Application Server Logs (access, inbound/outbound traffic)4. Database Logs

Yes, you can detect the Attacks, if you have a SIEM solution


6/12

SIEM provides a Holistic View

Insight into all the IT Components

Centrally Collect, Store & Analyze Logs

from Perimeter to End points

Monitor for Security Threats in real time

Quick Attack Detection, Containment &

Response

Holistic Security Reporting and

Compliance Management


7/12

What capabilities does a SIEM have?

Log Collection capabilities Using an Agent based approach or Agentless

approach, out-of-the-box log collection support for 3rd

party commercial IT

products

Parsing & Normalization Collected logs will be parsed and normalized to

a standard format for easy storage, analysis & reporting

Correlation between Events of different type thereby helping in threat

identification. Example: If Event Ais followed or matched by Event B, take

an action

Real-time Notification & Alerting real-time alert on Security threats in

the IT environment based on analysis of collected logs

Security Incident Detection & Response Workflow Operations Workflow

for handling detected security incidents & threats


8/12

SIEM Technology Space

SIEM market analysis of the last 3 years suggest:

Market consolidation of SIEM players (25 vendors in 2011 to 16 vendors in 2013) Only products with technology maturity and a strong road map have featured in leaders

quadrant.

HP ArcSight & IBM Q1 Labs have maintained leadership in SIEM industry with continued

technology upgrade

McAfee Nitro has strong product features & road map to challenge HP & IBM for leadership


9/12

HP ArcSight

Strengths Weakness

Extensive Log collection support for commercial IT

products & applications

Complex deployment & configuration

Advanced support for Threat Management, Fraud

Management & Behavior Analysis

Mostly suited for Medium to Large Scale deployment

Mature Event Correlation, Categorization & Reporting Requires skilled resources to manage the solution

Tight integration with Big data Analytics platform like

Hadoop

Steep learning curve for Analysts & Operators

Highly customizable based on organizations

requirements

Highly Available & Scalable Architecture supporting

Multi-tier & Multi-tenancy

The ArcSight Enterprise Threat and Risk Management (ETRM) Platform is an integrated set of

products for collecting, analysing, and managing enterprise Security Event information.

ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to

identify security threat in real-time

ArcSight Logger: Log storage and Search solution

ArcSight IdentityView: User Identity tracking/User activity monitoring

ArcSight Connectors: for data collection from a variety of data sources

ArcSight Auditor Applications: automated continuous controls monitoring for both mobile

& virtual environments


10/12

IBM QRadar

Strengths Weakness

Very simple deployment & configuration Limited customizations capabilities

Integrated view of the threat environment using

Netflow data , IDS/IPS data & Event logs from the

environment

Limited Multi-tenancy support

Behavior & Anomaly Detection capabilities for both

Netflow & Log data

Limited capability to perform Advanced Use Case

development & analytics

Suited for small, medium & large enterprises

Highly Scalable & Available architecture

The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for

collecting, analysing, and managing enterprise Security Event information.

QRadar Log Manager turn key log management solution for Event log collection & storage QRadar SIEM Integrated Log, Threat & Risk Management solution

QRadar Risk Manager Predictive threat & risk modelling, impact analysis & simulation

QRadar QFlow Network Behaviour Analysis & Anomaly detection using network flow data

QRadar vFlow Application Layer monitoring for both Physical & Virtual environment


11/12

McAfee Nitro

The McAfee Enterprise Security Management (formerly Nitro Security) Platform is an integrated

set of products for collecting, analysing, and managing enterprise Security Event information.

McAfee Enterprise Log Manager turn key log management solution for Event log

collection & storage McAfee Event Receiver collecting log data & native flow data

McAfee Database Event Monitor database transaction & Log monitoring

McAfee Application data Monitor application layer event monitoring

McAfee Advanced Correlation Engine advanced correlation engine for correlating events

both historical & real time

Strengths Weakness

Integrated Application Data monitoring & Deep Packet

Inspection

Very basic correlation capabilities when compared

with HP & IBM

Integrated Database monitoring without dependence

on native audit functions

Limitations in user interface when it concerns

navigation

High event collection rate suited for very large scale

deployment

Requires a lot of agent installs for Application &

database monitoring thereby increasing management

complexity

Efficient query performance in spite of high event

collection rate

No Analytics capability both Big Data & Risk based

Limited customization capabilities

Limited support for multi-tier & multi-tenancy

architecture


12/12

Comparison Overview

In Essence, the decision to choose a SIEM product depends on the following key

factors:

* Based on Data from publicly available sources

SIEM Deck - Blog

Documents

Transcript of SIEM Deck - Blog