Security Information and

Event Management (SIEM)

Dr. Lamiaa Basyoni
 • Security Information and Event Management
(SIEM) Basics and Capabilities​
• Different Type of SIEM Solutions

Module • Deployment of SIEM

• Application-Level Incident Detection
Objective • Insider Incident Detection
• Network Level Incident Detection
• Host Level Incident Detection
• Handling Alert Triaging and Analysis
 Security Information and Event Management (SIEM) Basics

• The SIEM solution is at the heart of SOC, which helps SOC

analysts in correlating and analyzing network security
events and identifying unusual or suspicious activity
on organization's IT infrastructure.
• SIEM helps SoC in fulfilling the main objective of providing
a single-point comprehensive view of an organization's IT
infrastructure security.
• SIEM has two main components;
o a base layer of log management functionality: for
efficient log management.
o and an additional layer of security analytic: for
detecting real-time security incidents..
 • Security Analytics in SIEM:

Security Analytics in
• Responsible for SEM (Security Event Management), log analysis, and reporting.
• SEM Functions:

SIEM • Includes real-time monitoring and incident management.

• Identifies patterns and anomalies in correlated log data.
• Signals intrusion attempts or policy violations.
 • Increased Visibility over the Network:
• SIEM implementation enables organizations to have a clear view of
network activities.
• Monitoring user actions, data access, login attempts, new user additions,
application installations, and network performance enhances overall
visibility.
• Enhanced visibility allows for closer observation of malicious behaviors

The Need
and alert-triggering incidents, thereby boosting network security.
• Incident Management:
• With numerous devices and applications generating extensive log data,

for SIEM
identifying malicious incidents becomes challenging.
• SIEM employs various techniques to detect and manage alert-triggering
incidents, improving network efficiency.
• Forensics:
• SIEM aids in forensic investigations by analyzing past records to identify
the source of an attack.
• Upon detecting similar incidents, SIEM alerts intrusion detection systems
and firewalls to reconfigure rules and mitigate ongoing attacks.
• Automatic defensive measures help prevent malicious attacks without
requiring human intervention and support regulatory compliance efforts.
SIEM Capabilities
SIEM Architecture
and Its Components
• Data: Various devices and applications in an organization generate
logs by default, including network devices, security tools, servers,
and applications.
• Collectors/Agents/Connectors: receive event information generated
by devices in the network and normalize it.
• Central Engine: performs data correlation and log analysis.
o Data correlation matches normalized log data to determine
related events based on predefined rules.
o Log analysis identifies patterns and anomalies indicating
intrusion attempts or policy violations.
o Central engine also handles reporting, monitoring, and
alerting administrators through email, ticketing systems, or
preferred methods.
• Database: Logs are stored in central repositories or databases based
on retention policies.
SIEM Solutions
 If SIEM is implemented in an organization or a company without the
involvement of external sources, then it is known as in-house SIEM.

In this kind of SIEMs, the organization has to buy and install the required

SIEM software and hardware and manage them to premise themselves.

Solutions: I
Advantages
• It provides full control over the system.
• It can update the rules whenever the user prefers.

n-House • SIEM can be customized as per the organization's security needs.

Disadvantages
• It is expensive to set up and operate.
• It takes time to train the staff and make them understand the working of SIEM.
• It is hard to provide all of the necessary tools.
 The cloud-based SIEM is the kind in which a third-party vendor supplies the
required features of the SIEM, and the organization has nothing to be
involved with.

SIEM In this kind of SIEM, the organization has to subscribe for a plan which will
exist for a particular amount of time with specific features.

Solutions: Advantages

Cloud- •
•
The SIEM platform is updated constantly.
Operational support is provided when needed.

Based
• This provides a lot of features like unlimited data storage.
• No further installation of the hardware equipment is needed.

Disadvantages

• Customers may fail to realize the complete SIEM functionality.

• For full benefits of SIEM, the customer has to pay a high amount of money. It can be expensive.
 This type of SIEM can be implemented either on premise or on-cloud.

This SIEM includes all the technology features that are required for do-it-yourself
implementation as well as to satisfy security objectives.

SIEM
Managed SIEM can be equipped with necessary elements which help the
organization to get a particular task done.

Solutions:
Advantages

• It removes the load of hiring, training, and keeping special personnel as it comes with advanced
technology and skilled peoples.

Managed
• It costs less when compared to other kinds of SIEMs.
• Implementation cost and maintenance cost are included, and no additional costs are required.
• This takes less space compared to the in-house mechanism. o It provides continuous compliance
support and data security assistance.

Disadvantages

• As a third party manages data security, if the company selected by is wrong, then there is a chance of
more risks or unwanted hassles.
• As a SIEM system is introduced with raw data, the chance of getting false positives will be increased.
Analyzing a false positive will consume the same amount of time for analyzing as a real incident.
IEM Solutions: Micro-Focus ArcSight Enterprise
Security Manager
SIEM Solutions: Splunk Enterprise Security (ES)
SIEM Solutions: IBM Security QRadar
SIEM
Deployment
 Cost Considerations:
• SIEM implementation involves various costs including licensing, installation,
optimization, management, renewal, and staff training.
• Expansion of SIEM deployment can incur high costs for the organization.

False Positives:

Challenges
• Prioritizing false-positive incidents can consume significant time for analysis, similar to
real incidents.

Lack of Trained Personnel:

in SIEM • Unavailability of trained personnel can pose challenges even with a fully equipped
SIEM, leading to wasted resources until suitable professionals are recruited.

Complexity of Data Sources:

Deployment • Configuring all data sources at once can complicate the work of monitoring and
analyzing teams, necessitating phased integration and tuning to reduce system noise.

Deployment Architecture:
• Selecting an appropriate SIEM deployment architecture is crucial, as a misconfigured
rule-based process can lead to the loss of relevant data and hinder incident detection.

Understanding SIEM Functionality:

• Users may fail to realize the full functionality of SIEM, resulting in wasted resources
and money for the organization
Recommendations for Successful SIEM
Deployment
• Phased Deployment Approach:
• Implement SIEM deployment in phases to enhance efficiency and effectiveness gradually.
• Skilled Staff or Training:
• Ensure the team possesses the necessary skills by either hiring skilled staff or providing training on product and security
expertise.
• Define Scope and Use Cases:
• Determine the scope, use cases, and associated requirements essential for successful execution.
• Deployment Architecture:
• Select a deployment architecture suitable for the organization's network to optimize SIEM effectiveness.
• Proactive Security Monitoring:
• Implement proactive security monitoring practices to detect and respond to potential threats promptly.
• Implement Security Controls:
• Modify and implement security controls, including event categorization, to detect unauthorized device connections,
software installations, and configuration changes.
1.Implementing Phased
SIEM Deployment
1.Implementing Phased SIEM Deployment

To get the most of the SIEM, it has to follow a phased approach.

By keeping the network of the organization in mind if the SIEM is

implemented using a phased approach, then organizations can decrease
the inherent complexity of the SIEM deployment.

Deploying Log Management Component First

Phased SIEM deployment includes and then SIEM Component
two approaches: Use-Case-by-Use-Case (Output-Driven) Approach
 Implementing the log management component first followed
by the SIEM component is a recommended
deployment technique.

Deploying Log The organization deploys the log management architecture

initially, focusing on collecting and managing
Management logs effectively.
Component Organizations may opt for a separate central log
First and then management solution or utilize the log management
capability within the SIEM platform.
SIEM Component
Advantages

• Easy to deploy and greater visibility to user and resource access

activities
• Improved scalability and performance
• Already collected data can be used to perform functions related to
security analytics
• Data can be used for the fulfillment of non-security requirements
 An output-driven approach is introduced to ensure effective
SIEM deployment.

Use cases are implemented sequentially, addressing each

Use-Case-by- component such as data sources, logs, flows, and context
individually.
Use-Case
(Output-Driven) Log management and SIEM components are deployed to support
each specific use case, ensuring comprehensive coverage and
Approach functionality

Advantages

• Possible to build more complex use cases with greater scope

• As one particular incident is taken care at a time, the efficiency of the SIEM is
increased
• Automated threat intel along with traditional monitoring can be done
2.Determining the Scope,
Use Cases, and its
Associated Requirements
 Scope Drives SIEM Implementation:
• Proper scope is crucial for successful SIEM implementation.
• Drivers for SIEM implementation include compliance, security, and operations.
Audit and Compliance:
• Compliance-driven SIEM focuses on log collection, retention, and review processes.
• Compliance entails adherence to rules to ensure organizational security.
• SIEM provides regulatory compliance reports (e.g., PCI DSS, FISMA) and can customize
reports for future regulations.

Security:

SIEM Scope • Security-driven SIEM involves continuous real-time monitoring and log analysis.
• Log data includes various information such as syslog events, user IDs, system
activities, access attempts, etc.
• Analysis aims to identify suspicious activities or indicators of compromise with
minimal human interaction.
Operations:
• Operations-driven SIEM focuses on device management, maintenance, and
troubleshooting.
• Various network devices and applications produce logs, making analysis and
monitoring challenging.
• Relevant logs need to be surfaced while irrelevant data is ignored.
 Definition of Use Cases:
• Use cases are actions such as rules, reports, alerts, or dashboards
that fulfill specific needs or requirements.
• They are the goals behind SIEM implementation for successful
integration into the IT infrastructure.

Primary Goals of SIEM Implementation:

• Detecting insider abuse and unauthorized access.
SIEM Use •
•
Performing forensic analysis and correlation of log data.
Monitoring user activity for suspicious behavior.

Cases • Increasing efficiency by facilitating communication between devices

and initiating preventive measures.
• Ensuring compliance with IT regulations and standards.

Types of SIEM Use Cases:

• Generic: Suitable for large groups of companies with distributed
infrastructures, providing centralized log management across
connected organizations.
• Specific: Implemented for organizations operating on a single
network without external connections, focusing on their specific
systems.
SIEM Use Cases Stages
SIEM Use Cases Stages

Scope Development: •Us e ca ses a re developed based on the scope of SIEM i mplementation, focusing on compliance, security, a nd operational needs.
Understanding the network environment is crucial for use case development.

Monitoring Requirements: •Moni toring requirements are determined based on the IT i nfrastructure that needs to be monitored and protected. This i ncludes ensuring
the s ecurity of data such as credit card and personal details tra nsmitted through websites and ecommerce s ections.

Event Sources Mapping: •Ma pping of secured i nformation in monitoring requirements to SIEM use cases is performed. Each task i n the monitoring requirements is
l i sted a ccording to SIEM use cases.

Event Validation: •Event s ources identified a re validated a gainst monitoring requirements. Event va lidation a dds an additional l ayer of security to data
tra ns mitted over postback requests, especially i n web a pplications.

Use Case Logic: •Us e ca se logic involves defining conditions or rules for alerts to detect s pecific a ttack vectors. Constructing l ogic for use cases provi des
deta iled data on specific actions a nd enhances detection ca pabilities.

Implementation and Testing:

•Confi guring a nd testing the SIEM implementation for specific use cases a nd desired outputs s uch as reports, real -time notifications, and
hi s torical notifications. Testing is crucial to avoid false positives a nd i s initially done i n a s andbox environment before d eployment in real-time
s ys tems.

Use Case Response: •Defi nes actions to be ta ken to contain, eradicate, a nd mi tigate incidents. This includes incident handling and response s teps based on the
fi nal report generated from s tudying the data collected by the SIEM.
 Requirements state what is required
for the successful execution of the
Requirements use case.

Use cases should determine its

associated requirements.
Associated

• Log Data Requirement

• Contextual Data Requirement
• Traffic Flow Data Requirement
• Hardware Requirement
Log Data Requirements
• Not all log source types will be relevant to desired use cases.
• Only collect log sources that support the desired use case.
• Log source integrations into SIEM should be based on their importance and feasibility.
• Typical Sources of Log Data:
o Network firewalls
o IDS/IPS devices
o Network and host data loss prevention (DLP) solutions
o Web proxy logs
o Authentication server logs (e.g., Windows Active Directory, VPN access logs)
o Internal DNS server logs
o Server activity logs (e.g., UNIX, Windows)
o Web server and web application logs
o Database logs
o Application logs
 SIEM requires context data to enhance situational awareness and
monitor specific use cases.

Contextual information aids analysts in monitoring, analyzing, and

determining the nature of events, whether malicious or not.

Contextual
Includes information about new and
User Context: departed employees within the
organization, sourced from HR systems.

Requirements Asset Context:

Contains details about network devices
(e.g., routers, switches), systems,
desktops, files, and other organizational
assets.

Obtained from vulnerability scanning

Vulnerability Context: tools, providing insights into system
weaknesses.

Comprises information on potential

Threat Context: threats to the network, gathered from
threat intelligence sources.
 Configuration Involves configuration details of events, often sourced from
Context: vulnerability assessment tools.

Data Context: Derived from data loss prevention tools and other software
managing organizational data.

External Includes threat intelligence from various mediums and feeds

Context:
Contextual
provided by third-party sources.

Requirements Application
Context:
Derived from network applications and dynamic/static
application security testing tools.

Business Obtained from business management tools and integrated

Context: applications used in business development.

Location and Utilizes global positioning sensors to determine the location of

Physical data production and transmission rates, contributing to physical
Context: context awareness.
 Traffic Flow Requirements
• Integrating traffic flow data with SIEM enables monitoring of network traffic
activity.
• NetFlow Protocol:
o NetFlow (RFC 3954) is a network protocol introduced by Cisco in 1996
for collecting network data.
o It helps in identifying incoming and outgoing traffic within the network.
• Use Cases of NetFlow:
o NetFlow is used to establish traffic baselines, detect anomalies, monitor
network patterns, and optimize network performance.
o NetFlow monitoring and analysis aid in identifying anomalous network
patterns, analyzing bandwidth consumption, troubleshooting network
issues, and optimizing network performance.
o Devices in the network running NetFlow should be configured to send
their information to a NetFlow collector.
o A NetFlow collector gathers Internet Protocol (IP) traffic information
from various network devices.
o The NetFlow collector consolidates data from different devices,
providing comprehensive insight and visibility into network traffic.
EPS, Volume, and Hardware Requirements
• SIEM sizing aims to address performance issues, meet compliance requirements, and effectively capture security data.
• In the following we discuss the factors affecting SIEM sizing:
• Event Per Second (EPS):
• EPS refers to the rate at which security events are generated and correlated by the SIEM.
• SIEM sizing depends on the correlation speed of security devices and the SIEM product.
• EPS helps organizations correlate IT infrastructure capacity and select the appropriate SIEM solution.
• Volume:
• The volume of storage required for SIEM is determined by considering all network events.
• Storage volume calculation depends on the type of logs being stored (e.g., cloud storage or distributed storage).
• Hardware Requirements:
• Hardware selection is based on EPS and storage requirements.
• Mid-range hardware requirements may include:
• Intel 64-bit chip architecture
• 24 CPU cores at 2 GHz or greater speed per core
• 64 GB RAM
• Disk subsystem capable of a minimum of 800 average input/output operations per second.
Implementing a Suitable
Deployment Architecture
 • Organizations have multiple choices for deploying their SIEM solution, each with
its own challenges and limitations.
• Selection depends on how the organization wants to manage, maintain, and
expand the SIEM solution.
• Factors Influencing Architecture Choice:
• Number and Volume of Log Sources: The quantity of log sources and the

Implementing
amount of log data they produce influence architecture selection.
• Log Collection Mechanisms: Different mechanisms exist for log collection,
and selecting the appropriate method is crucial.

a Suitable
• Use Case Implementation: A specific set of use cases must be
implemented to manage, analyze, and secure logs effectively.
• Network Topology: Proper arrangement of devices in the network is

Deployment
essential for efficient log collection. Network topology determines the
placement of security devices like firewalls for effective detection and
prevention of unauthorized access.

Architecture • Bandwidth Considerations: Available bandwidth needs to be evaluated

based on the volume of log data produced by devices. Balancing
bandwidth allocation with log data volume is crucial for cost efficiency.
• Regulatory Compliance Requirements: Compliance issues dictate the
inclusion of log retention periods in the SIEM. Log retention locations
must be implemented physically and logically to accommodate different
types of data. Data required immediately should be stored physically,
while cloud storage is suitable for vast amounts of data for future
reference.
Self-Hosted, Self-Managed
Self-Hosted, MSSP-Managed
Self-Hosted, Jointly-Managed
Cloud-Hosted, MSSP-Managed
Cloud-Hosted, Jointly-Managed
Cloud-Hosted, Self-Managed
Additional Recommendation
 Agent-Based vs. Agentless Log Collection:
• Choose between installing agents on devices for centralized data
transmission or collecting data based on device norms and
transmission ports.

Appliance vs. Software vs. Virtual Image:

• Decide whether to use hardware appliances, software solutions,
Technical or virtual images for log collection, each presenting different
data collection methods.
Recommendation Collector Management:
• Determine the number of collectors needed based on the
quantity of devices and estimated EPS (Events Per Second).

Type of Collector:
• Select the appropriate log collector type based on the
requirements for customized or all-encompassing log data
collection.
 Handling Varying Log Source Volumes:
• Tailor SIEM implementation to handle log data volumes specific
to the organization's size and device count for optimal
effectiveness.

Storage Distribution:
• Decide whether to distribute log storage across different
Technical locations, considering factors like organizational structure and
preference.
Recommendation Network Architecture Constraints:
• Implement SIEM based on network topology, adhering to any
necessary architecture constraints.

Data Redundancy, Availability, and Recovery:

• Manage redundancy, availability, and data recovery
mechanisms, especially in distributed storage scenarios, to
ensure data integrity and accessibility in case of breaches.
Thank you