SIEM stands for security information and event management and the tool provides proactive security capability that can aggregate data from multiple sources and provide analytics for threat detection. There are numerous SIEM brands like solarwinds, graylog, datadog, elastic, and splunk which are widely used. SIEM combines security information management and security event management. Information management portion collects logs files while the event management portion conducts real time monitoring.
SIEM collects data from numerous endpoints like servers, computers, and firewalls. It uses agents to collect the logs from these endpoints and stores/processes them into a single database for analysis. Once you add the agents on your SIEM tool, it will start collecting logs and you will be able to start viewing the data. Agents will conduct the network packet capture and the SIEM dashboard will allow you to start viewing the data. On the dashboard, you can expand, visualize, search, and filter numerous packets.
SIEM will let you create baseline or a profile, which defines a normal working condition. Basically what the normal traffic looks like and how all the data correlates with other normal baseline factors like average number of URLs blocked in a single given day. From a big picture perspective, you are able to view the organization’s network health which includes compliance requirements and vulnerable areas that should be fixed. Best practice for implementation is defining the requirement, doing a test run, gathering a live baseline data set, creating an incident response plan, and having a continuous improvement plan.
HansITAcademy 