goudael5fara@hotmail.

com
OZUBK5LZN6
Security Information and Event
Management

This file is meant for personal use by [email protected] only.

Sharing or publishing the contents in part or full is liable for legal action.
 Agenda

In this session, we will discuss:

• What is SIEM?
• Why SIEM?
• Why integrate SIEM with Threat Intelligence?
• Working of SIEM
[email protected]
• Use Cases
OZUBK5LZN6

• Implementations
• Tool Selection

This file is meant for personal use by [email protected] only.

Sharing or publishing the contents in part or full is liable for legal action.
 What is SIEM?
• It is an amalgamation of Security Information Management or SIM that involves:
– Collection, monitoring, and analysis of system and network log.
• And Security Event Management or SEM
– Gathering, monitoring, and reporting security-related incidents and events.
• SIEM enhances the various security operations and processes such as:
– Threat detection, compliance, incident management/response, and analysis
[email protected]
OZUBK5LZN6

• SIEM solutions primarily offer log collection and management capabilities such as analysis and
reporting in a centralized location.
• Perform data correlation and data aggregation across the enterprise network.
• Security monitoring that involves user activity/behavior monitoring
and compliance conformance.

This file is meant for personal use by [email protected] only.

Sharing or publishing the contents in part or full is liable for legal action.
 Why SIEM?
• Centralized Analysis and Reporting:
– A holistic view of an enterprise's security environment, including the gathering and analysis
processes to make informed security-related decisions.
– Can be put into a centralized repository for efficient storage and ease of access.
• Threat/Attack Detection:
– Strategic
[email protected]

– Tactical
OZUBK5LZN6

– Operational parallels in threat detection and management.

– Integration with Threat Intelligence to enhance threat/attack detection of potential threats.
• Quick Incident Handling:
– Rapid discovery of security incidents and/or events.
– Potential attack strategies and historical data to improve response.
DO NOT WRITE ANYTHING
HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 Why SIEM?
• Compliance Conformance:
– Helps enterprises and organizations with compliance conformance, such as the PCI DSS standard
that reassures a company’s customers regarding the safety and security of their credit card and
payment details.
– Aid the organization in meeting several requirements for PCI DSS, including:
• Detection of unauthorized connection to the network.
[email protected]
OZUBK5LZN6
• Usage of secure protocols only.
• Traffic-flow inspection through DMZ.
– Meets requirements by inspecting the traffic flowing to and from the internal systems
through the DMZ, as well as by reporting security incidents and events.

DO NOT WRITE ANYTHING

HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 Why not SIEM?
• SIEM Implementation takes quite a while due to the requirement of support for successful
integration owing to:
– The disparate security controls;
– Hosts in the organization's network.
• It is expensive. The initial investment could cost hundreds of thousands of dollars, which does not
include ongoing expenses to maintain and manage.
[email protected]
OZUBK5LZN6

This file is meant for personal use by [email protected] only.

Sharing or publishing the contents in part or full is liable for legal action.
 Other concerns
• SIEM produces lots of logs and alerts that make it extremely difficult to search and find real threats
amongst all the noise.
• Misconfiguration of the SIEM tools may cost the organization thousands, as even after
implementation, the SIEM solution would be ineffective against threats.

[email protected]
OZUBK5LZN6

DO NOT WRITE ANYTHING

HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 Why Integrate SIEM with Threat Intelligence?
• Threat Intelligence (TI) provides the ability to identify and perform security-related actions on
discovering an impending attack.
• Cyclical process that keeps enhancing over every iteration to produce effective security outcomes.
• SIEM solutions, in conjunction with TI, provide several capabilities such as:
– The ability to scale over the ever-evolving high-intensity;
– High-impact threats in an agile way with responsive features included.
[email protected]
OZUBK5LZN6
• SIEMs are only the fundamentals of security integrations and not the answer to all of the security
analysis woes.
• SIEM is not designed to handle unstructured data of unrelated formats affecting output.
• An integrated SIEM with TI provides a globalized view improving the
SIEM process.
• Enhanced identification of potential security issues when integrated.
DO NOT WRITE ANYTHING
HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 How does SIEM work?
• Gather logs and event data generated by systems, networks, applications, and perimeter-security
devices such as gateways and firewalls within the IT infrastructure, followed by the consolidation
onto a centralized platform such as a dashboard.
• Detection and categorization of the log data into suspicious and malicious activities.
• Generation of security alerts on detecting or identifying potential security threats or attacks using
predefined rule sets that help with the prioritization of these incidents.
[email protected]
• An example could be the case where a user account generating 8 failed or suspicious login attempts
OZUBK5LZN6

in just 3 minutes would be flagged as suspicious, but its priority won't be set that high since it could
have been possible that the user might have forgotten his/her password.
• However, if there were over 50 failed login attempts in just 2 minutes, then that would be flagged
with higher priority since it is a blatant indication of a brute-force attack.

DO NOT WRITE ANYTHING

HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 SIEM Use Cases
• Zero-day vulnerabilities and polymorphic codes can be detected by functionalities such as visibility
analysis and anomaly detection.
• The system or network has no influence over log parsing, log normalization, or the log categorization
processes that take place automatically.
• Pattern Detection is an important use case due to the visualization of security incidents and logs.
• Protocol anomalies indicating security issues and misconfigured security settings can be identified
[email protected]
OZUBK5LZN6 using the pattern detection method discussed previously.

• Identification of malicious and suspicious communication over secure, encrypted channels.

• Both the adversaries and the victims of Cyberwarfare can be identified with a certain amount of
accuracy by SIEMs.

DO NOT WRITE ANYTHING

HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 Top SIEM Implementations
• IBM (QRadar)
– Log data from various sources within an enterprise, such as the host systems, network devices,
user applications, etc., can be collected with IBM QRadar.
– Can perform real-time log data analysis, thereby enabling swift attack identification and
remediation.
– Can also be used in cloud environments, and it also provides support for threat intelligence
[email protected]
OZUBK5LZN6 feeds.
• Splunk (Splunk Enterprise Security) – A log analysis program
– Capability to provide real-time threat monitoring bundled with quick and intelligent correlations.
– Investigative analysis that helps trace novel dynamic actions and behaviors associated with
advanced security threats.
– Has in-built support for integrating threat intelligence feeds from
Third-party applications. DO NOT WRITE ANYTHING
– Can be installed locally or in a cloud environment. HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 Choosing the right SIEM Tool
• Selection should be based organization's purview of security and how their security posture has been
implemented.
• Conformance-based reporting for compliance.
• Forensic capabilities, including incident response and management.
• Monitoring all access to databases and networks.
• Threat detection, be it internal or external.
[email protected]
OZUBK5LZN6
• Threat monitoring, threat correlation, and analysis in real-time
• User activity monitoring (UAM).
• Provides in-built or support for intrusion detection system (IDS), IPS, firewall, and gateways or filters.
• Integration with threat intelligence.

DO NOT WRITE ANYTHING

HERE. LEAVE THIS SPACE FOR
WEBCAM
This file is meant for personal use by [email protected] only.
Sharing or publishing the contents in part or full is liable for legal action.
 Summary
Let’s recap what we have learned in this session:
• SIEM enhances the various security operations and processes, such as threat detection, compliance,
incident management/response, and analysis.
• Threat Intelligence (TI) provides the ability to identify and perform security-related actions on
discovering an impending attack.
[email protected]
OZUBK5LZN6

This file is meant for personal use by [email protected] only.

Sharing or publishing the contents in part or full is liable for legal action.
[email protected]
OZUBK5LZN6
Thank you

This file is meant for personal use by [email protected] only.

Sharing or publishing the contents in part or full is liable for legal action.