Home >> Insights  >>

SIEM And Log Management

by Milan Kumar, - VP/Global Head-Delivery & Client Partner, Nihilent Technologies June-2018

Many corporations approach achieving higher security using the method some individuals use to approach achieving fitness. Corporations shop for Security Information and Event Management (SIEM) for the product, much like how individuals can purchase an upscale health spa membership. But, in both cases, if the resources - be it SIEM or the spa - are not put to good use, the venture will fail. Paying for SIEM is simply a step in the process; this alone will not yield results. It is imperative to specialize in the basics of SIEM and log management so as to succeed.

Successful attacks on laptop systems seldom look like real attacks except when we suspect something is amiss – if this weren't the case, we might alter all security defences while never using human analysts. This is why it’s important to understand what's in your log files, even in hindsight – they square measure usually the sole thanks to discovering attacks.

In fact, if you didn’t know better, your own network and system Admins might look like hackers. They are usually victims and are given elevated privileges to form changes that would look (or be) malicious. So it is necessary to possess a lot of info and insights so as to effectively discover malicious behavior and the real cause of it.

Security Informa­tion and Event Man­agement (SIEM) is regarding watching at your network through a bigger lens than is provided by one security management or info supply. For example:

• Your Asset Management system solely sees applications, business processes and administrative contacts

• Your Network Intrusion Detection system (IDS) only understands Packets, Protocols and IP Addresses

• Your Endpoint Security system solely sees files, usernames and hosts

• Your Service Logs show user sessions, transactions in databases and configuration changes

• File Integrity Monitoring (FIM) systems solely sees changes in files and written account settings

None of these technologies, by themselves, can tell you what is happening to your network and your business. Hence the great interest in SIEM in companies of all sizes.

First, let’s define some terms. Although the trade has settled on the term ‘SIEM’ as the catch-all term for this kind of security software package, it evolved from several totally different (but complementary) technologies before it

• LMS - “Log Management System” – a system that collects and store Log Files (from Operating Systems, Applications) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from every system separately.

• SLM /SEM– “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system directors. SEM is about highlighting log entries as additionally important to security than others.

• SIM – “Security Information Management” - AN plus Management system, but with options to incorporate security data too. Hosts may have vulnerability reports listed in their summaries and Intrusion Detection and AntiVirus alerts may be shown mapped to the systems concerned.

• SEC - “Security Event Correlation” – To a particular piece of computer code, three failed login attempts to the same user account from three totally different shoppers are simply 3 lines in their log file. To an analyst, that is a peculiar sequence of events that ought to be investigated and Log Correlation (looking for patterns in log files) is to raise alerts when this happens.

SIEM – “Security Information and Event Management” – SIEM is the term given to the above technologies combined into single merchandise, and it has become the generalized term for managing information generated from security controls and infrastructure.

SIEM is essentially a management layer on top of your existing systems and security controls. SIEM connects and unifies information from disparate systems, allowing them to be analyzed and cross-referenced from a single interface. Bear in mind, SIEM is only as helpful as the information you place in it – the saying “Garbage In, Garbage Out” pertains in this situation.

SIEM is often a sophisticated state of affairs. It is not a security control or detection mechanism by itself, but it makes the security technologies you've got simpler. In a way, it enables the whole to be larger than the sum of the elements.

SIEM is about assembling logs, and mapping information concerning your infrastructure and business processes to those logs. It empowers security analysts to make reasoned, informed investigations into activities on the network to verify their impact on security integrity and business continuity.

The SIEM should act as your single portal to activity on your network, decoupling your analysts from a need to possess product-specific data concerning security capabilities. This allows them to specialize in what they are doing best – security analysis. However, the more data you place into it, the more helpful and perceptive it becomes. The critical thought is feeding the SIEM the logs it desires to make it effective.