Scribd
Upload
14 views

SIEM 1

secuitry

Uploaded by

sandeeppolinati9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
14 views

SIEM 1

secuitry

Uploaded by

sandeeppolinati9
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

security information and event management

It is a tool/technology supports threat detection and historical analysis of security events


through real time collection of events from various data/log sources.
Security information and event management systems is an approach to get a centralized view
of the information coming out of multiple defense mechanisms, end user devices,
applications and servers of the organization in most understandable and standard format. It
serves multiple purposes like auditing, reporting, log retention, incident response and most
importantly real-time monitoring which provides a capability to alert at the initial stages of
cyber-attacks to your organization. In Summary, it will show what you want to see. Hence, to
get most out of it, it should be managed properly.
It is a set of technologies for
 Log data collection
 Correlation
 Aggregation
 Normalization
 Retention
 Analysis and workflow
We need SIEM to move from being reactive to being proactive interns of our security
approach.

RSA Envision and so on


SIEM is implemented via software, systems, appliances, or some combination of these items.
There are, generally speaking, six main attributes of an SIEM system:
Retention: Storing data for long periods so that decisions can be made off of more complete
data sets.
Dashboards: Used to analyze (and visualize) data in an attempt to recognize patterns or
target activity or data that does not fit into a normal pattern.
Correlation: Sorts data into packets that are meaningful, similar and share common traits.
The goal is to turn data into useful information.
Alerting: When data is gathered or identified that trigger certain responses - such as alerts or
potential security problems - SIEM tools can activate certain protocols to alert users, like
notifications sent to the dashboard, an automated email or text message.
Data Aggregation: Data can be gathered from any number of sites once SIEM is introduced,
including servers, networks, databases, software and email systems. The aggregator also
serves as a consolidating resource before data is sent to be correlated or retained.
Compliance: Protocols in a SIEM can be established that automatically collect data
necessary for compliance with company, organizational or government policies.
1: Security analyst

2: Senior Analyst and Shift-Leader

3: Regional Analyst who performs higher order analysis and quality assurance (QA) with
respect to the activity derived from Tiers 1 and 2, among other activities including hunting

Event: Any observable occurrence in a system or network

Alert: An event (or collection of events) that is or has the potential to be a cyber security
incident

Incident: An occurrence that potentially jeopardizes the confidentiality, integrity, or


availability of an information system or the information the system processes, stores, or
transmits. A cyber security incident is an incident in which there has been, or there is the
imminent potential for, a violation of security policies, acceptable use policies, or standard
security practices.

Monitor: Process by which analysts receive and observe cyber security events and alerts
from technical and non-technical sources.
Triage: Process of validating an alert through the analysis of data.
Incident: Incidents can be classified as malicious code, misuse, denial of service, attempted
access or successful unauthorized access.
Threat: Threats are internal or external to the organization and are done intentionally or
unintentionally
Incident Severity: The degree to which the incident impacts the organization, the likelihood
of recovery, and the level of response necessary
Incident Scope: The level to which users, assets, data, and/or member firms are impacted.
True Positive: Outcome of security event analysis indicating that a defined risk is intercepted
Negative: Outcome of security event analysis indicating the presence of a normal transaction
Positive: Outcome of security event analysis indicating a false alarm
Negative: Outcome of security event analysis indicating the possible presence of an
undefined risk.

Technical Terms:
Genuine
Hacked
To reduce effect
To prevent
Controlling
Removal
Attack
Skip

Description:
This is XXXXXXXXXX, has done graduation on XXXXXXXXXX and having XX years of
experience in security operations center (SOC) as an information security analyst in
XXXXXXXXXXX.
As an Analyst, I am responsible for monitoring and protecting the network by using the
tools like,
tool- which is being integrated with all the security devices to collect the event logs from the
security devices.
IPS - This has been configured in inline mode on the network. It monitors the entire network
for suspicious traffic by analyzing or comparing the event data with pre-configured and pre-
determined attack patterns or signatures.
web proxy - This monitors all the web traffic and correlates the traffic in real time by tapping
into the Cisco Talos security intelligence.
email security - This protects against ransomware, business email compromise, spoofing,
and phishing. It uses advanced threat intelligence and a multilayered approach to protect
inbound messages and sensitive outbound data.
endpoint protection - This runs daily scans in the network. If any of the systems detected
with infections should be reviewed by SOC and will necessary steps to mitigate the detected
issue.
Antivirus – McAfee
Websence or Symantec – DLP
Service Now – Ticketing Tool.
Essential roles and responsibilities:
We are actively involved in monitoring Arcsight console in order to identify any potential
security breaches across the network by monitoring Active Channels and Dashboards.
Active channels provide live streaming of event data; through the Active Channels we
monitor firewall logs, Sourcefire IPS logs, McAfee ePO logs and Cisco WSA logs.
Dashboards provide the summary of the event data, through which we can quickly identify
and investigate if any abnormal logs reported.
Monitoring the Arcsight smart connectors. If any of the connector goes down, we are taking
the responsibility to create a ticket and assign to NSO team.
We are also responsible for monitoring SOC mailbox, where it has been forwarded with
suspicious/ spam/ phishing emails by the employees whenever they receive any suspicious
email. SOC analyzes such emails with the help of online tools like virustotal.com,
urlquery.net, mxtoolbox.com, mal wr.com etc and blocking the domains and attachments at
ESA & WSA level.
If any potential security incident identified while monitoring the security devices then
immediately will create a security incident response plan (SIRP):
Mainly there are 6 phases involved in Preparing security incident response plan (SIRP)
LIFE CYCLE
There are 5 Phases in incident life cycle. The incident response phases are:
Preparation
Identification
Containment
Eradication

Lessons Learned

You might also like