What is SIEM and how does it work?
A SIEM (Security Information Event Management) is a security log management system that collects log files, security alerts, and security events into one centralized location, which enables security analysts and teams to efficiently analyze data. Hence, SIEM technology aids security incident and event management through logging of real–time and historical data of security events. In addition, a SIEM generally creates reports via a main dashboard.
2 Types of SIEM Technologies
Gartner, in 2017, updated the definition of a SIEM to include two other technologies:
- UEBA: User Entity Behavior Analytics, which is an analytics technology layer, tracks normal and abnormal user behavior for users and entities such as servers, databases, and devices. UEBA helps in analyzing abnormal device behavior such as computers uploading huge amounts of data for the first time or logins from unusual points in the network. Such incidents get flagged for further investigation.
- SOAR: Security Orchestration Animation Response automates procedures undertaken by security analysts in incident response, improving efficiency in the SOC and reducing overall risk.
What is the Benefit of a SIEM in a SOC?
The central collection of incident data from all devices on the network provides one dataset for security analysts to conduct their investigation instead of going through each individual system. In the event of a security incident, SIEMs make for a foundational entity in the Security Operations Centers (SOC) in conducting forensic analysis. A SOC compliments the SIEM system by providing the resources needed, such as security operational analysts who perform forensic investigations, which entail analyzing real–time network events, investigation of security incidents, response to security events and prevention, and updating post the cybersecurity incidents.
When logging data from network devices, it is important to synchronize the time on all devices in case the need arises to investigate the occurrence of an event at a certain time. For instance, a forensic investigation on the events which occurred between the router and the webserver at a specific period can provide accurate insight on how an attack was carried out. The Network Time Protocol (NTP) is a widely used standardized protocol that enables the synchronization of all devices on the network to a single clock source, which provides an accurate time synchronization as well as flexibility.
After the collection of log data, a SIEM requires a way to transfer that data from devices and a way to store the data. The most common way of transferring log data to SIEMs is through the Syslog standard transfer method. The SIEM will use a central receiver to receive logs and store them; therefore, SIEMs also need large storage capabilities.
SolarWinds is an example of a SIEM tool that strengthens an organization’s security posture by providing automated incident response and threat detection. It provides an easy–to–use dashboard that visualizes event data for analysis and pattern recognition. SolarWinds also provides active response actions such as blocking of untrustworthy IPs, automatically logging off users, and terminating inactive sessions. SolarWinds will also provide customizable reporting templates for easy demonstration of compliance to standardization bodies such as ISO 27001 and SOX.
How to Become a SOC Analyst
Being a SOC analyst can be an intense job, but it is certainly a very rewarding career. Imagine being in a SOC at a healthcare organization and you start to see indicators that an attack is happening on the network. You follow the proper procedure and eventually thwart the attack. After an analysis, you find that the attack you thwarted would have caused enough damage to cripple the entire hospital. Some might call that being a modern-day hero; others might call it just doing their job. Either way, getting the EC-Council CSA Certification is the first step to take.