BOOK THIS SPACE FOR AD
ARTICLE ADSecurity Information and Event Management (SIEM) is performed in four stages. Data is accumulated in the form of logs and threat intelligence. Collectors gather and aggregate the data. It is then centrally normalized by a processing engine. Finally, it is added to a database (EC-Council, 2019).
The data comes from network systems and devices (e.g., routers, printers, workstations), security systems (e.g., firewalls, IPS/IDS systems, antimalware utilities), workstations, servers, software, and services (e.g., mail servers, web servers, operating systems, applications) (EC-Council, 2019).
Collectors gather the data from the various sources by various means, normalize each type of data to make it compatible with the other log messages and data being collected, and forward it to the central engine (EC-Council, 2019).
The central engine aggregates correlate for timestamps, normalizes, and analyzes it to look for patterns that may indicate events of interest. It “uses rule-based correlation, statistical or algorithmic correlation, and other methods” to match log messages to find events. Then the data analysis uses the patterns and anomalies to identify possible intrusion attempts or policy violations. The method of reporting may happen in multiple ways, such as alerts to the administrator, email, or entry of tickets in the tracking system. (EC-Council, 2019).
Databases for SIEM systems must be capable of storing and processing a huge volume of data. Logs are retained according to policy for however long they are needed and cleared according to the policy. (EC-Council, 2019).
Another way of looking at SIEM system architecture is by considering the capabilities and processes. Two of the best articulations come from Piggeé Sr (2018) and Exabeam (n.d.).
Perhaps the most important part of the SIEM system is the detection and reporting. It takes human input, but once the system has been set up, it can synthesize the correlated data and threat intelligence to provide timely actionable intelligence to cybersecurity personnel, who can then escalate the response as needed.
As Bruce Schneier (2000) wrote, “Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.” The components and capabilities of SIEM systems are part of this process of security.
References
EC-Council. (2020). Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs (Volumes 1 through 4). [VitalSource Bookshelf 9.2.1]. Retrieved from vbk://9781635675160
EC-Council. (2019). Certified SOC Analyst (CSA) eBook w/ iLabs. [VitalSource Bookshelf 9.2.1]. Retrieved from vbk://9781635673845
EC-Council. (2021). Computer Hacking Forensics Investigator (CHFI) Version 10, 10th Edition. [VitalSource Bookshelf 9.2.1]. Retrieved from vbk://9781635676969
Exabeam. (n.d.). SIEM architecture: Technology, process, and data. https://www.exabeam.com/siem-guide/siem-architecture/ (Links to an external site.)
Kim, D. (2016). Fundamentals of Information Systems Security, 3rd Edition. [VitalSource Bookshelf 9.2.1]. Retrieved from vbk://9781284128567
Piggeé Sr., J. (2016, January 10). What is a SIEM (Security information and event management)? Tripwire — The State of Security. https://www.tripwire.com/state-of-security/incident-detection/log-management-siem/what-is-a-siem/ (Links to an external site.)
Schneier, B. (2000, April). Essays: The process of security. Schneier on Security. https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html