Software Information And Event Management

SIEM:

Security information and event management(SIEM) system provides a centralized solution for collecting, analyzing, and managing data from multiple sources. Then combine the services of security event management(SEM) and security information management(SIM) solutions. A SEM provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents.

Why SIEM?
SIEMs are very useful in large enterprises that have massive amounts of data and activity to monitor. Consider an organization with over 1,000 servers. When an incident occurs on just one of those servers, administrators need to know about it as quickly as possible. The SIEM provides continuous monitoring and provides real-time reporting.

Aggregation:
Aggregation refers to combining several dissimilar items. Into a single item. A SIEM can collect data from multiple sources, such as firewalls, IPS, proxy servers, and more and aggregate this data and store it in such a way that it is easy to analyze and search.

Correlation Engine:
A Correlation Engine is a software component used to collect and analyze event log data from various systems within the network. It aggregates data looking for common attributes. It then uses an advanced analytic tool to detect patterns of potential security events and raises alerts. System administrators can then investigate the alert.

Automated Alerting:
A SIEM typically comes with predefined alerts, which provide notifications of suspicious events.

Automated triggers:
Triggers cause an action in response to a predefined number of repeated events.

Time synchronization:
All servers sending data to the SIEM should be synchronized at the same time. This becomes most important when investigating an incident so that security investigators know when events occurred.

Event deduplication:
Deduplication is the process of removing duplicate entries because NIDS collects data from a firewall and a SIEM collects data from NIDS and the firewall. So SIEM stores only a single copy of any duplicate log entries, but ensures that the entries are associated with both devices.

Comments

Post a Comment

Popular posts from this blog

Analyzing Spear Phishing Email

Image
Phishing is the technique of fraudulent attempt by the attacker to obtain sensitive and confidential information i.e. Credentials, PII information, credit card, bank details. It can also be targeted attack to focus on the specific organization of individual. The attacker often tailors an email to speak directory to targeted user. There are many types of phishing as follow. I wouldn't explain the types. You can read Here . In this article you'll learn how to analyze the sophisticated phishing email. So, Let's start the case study to explain.  Spearphising :  Spearphising is the technique in which attacker aims at one person and lures him/her into providing confidential data. Attacker compile the email according to the specific user. The email would consist some of the target's email, username, designation.  Case Study: User receive the spearphising email containing the PDF attachment with double extension. Email body contains the unprofessional statement "Kindly m
Read more

Cyber Threat Intel

Image
What is Cyber Threat Intel? Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks. " Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes " (NIST). Threat Intel life Cycle: Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action. CTI Life Cycle Planning and Direction Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase. Collection: Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums). Collection Types of Collectio
Read more

Authentication Services

Image
  Authentication Services: In this section we will discuss the authentication services. The main goal of these services are to ensure that unencrypted credentials are not sent across the network. In other words they ensure that credentials are not sent in clear text. Kerberos: It is a network authentication mechanism mostly used in both windows active directory domain and some Unix environments. Kerberos provides mutual authentication that can help prevent MITM attacks and uses tickets to help prevent replay attacks. Working of Kerberos: The KDC(key distribution center) uses a complex process of issuing TGTs(Ticket granting tickets) and other tickets. The KDC packages user credentials within the ticket. Tickets provide authentication for users when they access resources such as files on the file server. These tickets are sometimes referred to as tokens. NTLM: New Technology LAN Manager is a suite of protocols that provide authentication, integrity, and confidentiality within windows sy
Read more