SIEM overview
SIEM stands for Security Information and Event Management. This tool collects logs from variety of resources on the network so that you can analyze and have a big picture view of your company’s network status. It provides both historical and real-time information about what is happening on the network and allows you to generate extensive reports.
Sensors
A SIEM can collect data from a variety of sources, you can call them sensors. You can collect the log files for a particular operating system, such as Windows or Linux, and have them forwarded to a central SIEM database. Common IT assets are pretty much plug and play, like switches, routers, firewalls, and other devices. You can also use third-party sensors that follow the standards, such as NetFlow that provide information about traffic flows across the network.
Sensitivity
Compiling and categorizing all of the information is critical, otherwise it’ll be hard to make use of the data you collect. One needs to create a structured database beforehand and add extra meta tags slowly. For security, it is important to know how to use SIEM to parse the data and put the information into different categories (like information, urgent, warning, etc.). SIEM features intelligence capability that can interpret the collected data as well and can be programmed to look for specifics. You can also program SIEM to offer you proactive alarms and alerts to specific people and devices. Once again, these have to be fine-tuned to ensure things like false positives and false negatives rates are low.
You will see data change constantly over time and you will be able to see a spike whenever a particular security event occurs, or network utilization is more than normal. It’s a great way to identify trends and detect behaviors. You can also correlate different data types into a standard set of information. For example, you can view the relationship between source and destination IP addresses, user, source type, and other information gathered from the log files.
HansITAcademy 