Security Information and Event Management (SIEM)



Similar documents
Real-Time Security for Active Directory

Tivoli Security Information and Event Manager V1.0

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Compliance Management, made easy

Best Practices for Building a Security Operations Center

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

PCI Compliance for Cloud Applications

Feature. Log Management: A Pragmatic Approach to PCI DSS

nfx One for Managed Service Providers

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Boosting enterprise security with integrated log management

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

How To Manage Security On A Networked Computer System

Information Technology Policy

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

BlackStratus for Managed Service Providers

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Information & Asset Protection with SIEM and DLP

Protect Your Connected Business Systems by Identifying and Analyzing Threats

E-Guide Log management best practices: Six tips for success

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

IBM QRadar Security Intelligence Platform appliances

Campus. Impact. UC Riversidee Security Tools. Security Tools. of systems

How To Buy Nitro Security

Caretower s SIEM Managed Security Services

LOG MANAGEMENT: BEST PRACTICES

CyberArk Privileged Threat Analytics. Solution Brief

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

Securing your IT infrastructure with SOC/NOC collaboration

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

DEMONSTRATING THE ROI FOR SIEM

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Total Protection for Compliance: Unified IT Policy Auditing

Scalability in Log Management

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Vulnerability Management

How To Manage Log Management

The Comprehensive Guide to PCI Security Standards Compliance

WHITE PAPER. Meeting the True Intent of File Integrity Monitoring

IBM Security QRadar Risk Manager

CorreLog Alignment to PCI Security Standards Compliance

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Log Management Solution for IT Big Data

Product white paper. ROI and SIEM. How the RSA envision platform delivers an Industry-leading ROI

Demonstrating the ROI for SIEM: Tales from the Trenches

Attack Intelligence: Why It Matters

Enterprise Security Tactical Plan

The Sophos Security Heartbeat:

CA Service Desk Manager

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Continuous Network Monitoring

LogRhythm and NERC CIP Compliance

IBM Security QRadar Risk Manager

Guideline on Auditing and Log Management

Convergence of Desktop Security and Management: System Center 2012 Endpoint Protection and System Center 2012 Configuration Manager

Analyzing Logs For Security Information Event Management Whitepaper

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Compliance Overview: FISMA / NIST SP800 53

MANAGED SECURITY SERVICES (MSS)

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

Solution Overview. Optimizing Customer Care Processes Using Operational Intelligence

Best Practices for PCI DSS V3.0 Network Security Compliance

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

HP and netforensics Security Information Management solutions. Business blueprint

The SIEM Evaluator s Guide

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

AlienVault for Regulatory Compliance

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Ecom Infotech. Page 1 of 6

TRIPWIRE REMOTE OPERATIONS: STOP OPERATING, START ANALYZING

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

FireScope + ServiceNow: CMDB Integration Use Cases

Breach Found. Did It Hurt?

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

IBM QRadar Security Intelligence April 2013

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Analyzing HTTP/HTTPS Traffic Logs

Security and Identity Management Auditing Converge

Payment Card Industry Data Security Standard

Exporting IBM i Data to Syslog

IBM Security Intelligence Strategy

NEC Managed Security Services

LogPoint 5.1 Product Features Robust. Dynamic. Unparalleled.

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Transcription:

Security Information and Event Management (SIEM) How Does Your Business Benefit? intigrow White Paper By Wes Lambert Security Consultant wes.lambert@intigrow.com intigrow is a global enterprise security company delivering comprehensive security solutions and competitively priced security services to empower enterprises to achieve a business enabled security posture. intigrow helps you manage risk, improve compliance, and attain proactive detection and prevention of security threats to- and from- your clients and users, computing infrastructure including mobile, data, and applications. intigrow provides consulting services and solution components for IT security requirements.

Contents Executive Summary... 3 Introduction... 4 SIEM... 4 How Can Your Business Benefit?... 6 Conclusion... 7 2 wes.lambert@intigrow.com

Section 1 Executive Summary Nearly every device in your organization s IT infrastructure gives security alerts. The amount of data processed and archived by companies has continued to grow at a blistering pace. Such data is retrieved from a growing number of sources and platforms, all with an enormous amount of potential to improve operations within a company. In order to make effective use of security information, you need to be able to understand it in context. If you can separate the wheat from the chaff, you can make your current security investments accretive. With confidence in your ability to add services securely, and lowered operational costs, security information and event management (SIEM) will allow you to pursue new channels and markets at a faster pace. intigrow has developed an approach to IT security the integrates component security features, identity management, and access management. The approach begins with assessing the potential business values and risks, developing a security strategy, roadmap, and operational processes. Existing resources can be leveraged and tied together with SIEM. 3 wes.lambert@intigrow.com

Section 2 Introduction Nearly every device in your organization s IT infrastructure gives security alerts. The amount of data processed and archived by companies has continued to grow at a blistering pace. Such data is retrieved from a growing number of sources and platforms, all with an enormous amount of potential to improve operations within a company. Unfortunately, most organizations resources are underutilized or not quite effective enough to wade through the bulk of information pouring in from these numerous networked components and discern actual threats from the occasional tease. Doing this is the real value if SIEM. Delving into the sea of alerts and suspicious activity to verify indications of maliciousness are in fact valid, is in many cases a full-time job. It is due to this that optimum efficiency is rarely achieved in regard to security management, and the likelihood of an information-loss catastrophe increases. SIEM This is where SIEM comes into play. SIEM, or security information and event management, is a term used to describe the real-time monitoring of security events, in conjunction with historical log analysis. Together, these abilities comprise situational awareness. This technology developed out of two previous technologies: SEM (Security Event Management): Real-time monitoring, correlation, and processing of security events. SIM (Security Information Management): Historical log file analysis. Such analysis had previously been used in the case of forensic investigations. SIM provided excellent reporting functionality as well. SIEM fuses these two technologies to provide a single solution to the challenge inherited by a company s security professionals and business. At the same time, the technology allows for a greater range of compatibility with various devices and data sources an organization may possess within its technical infrastructure. Key capabilities of most SIEM solutions include data collection, data aggregation, data normalization, event correlation, alerting, reporting, use of forensics tools, and the ability to centrally manage and monitor the SIEM system. More detail on each capability is given below: Data Collection - can occur at any number of points, as in most cases, organizations possess different devices such as firewalls, IDSs, routers, and databases with different data formats and so on. A SIEM solution can interface 4 wes.lambert@intigrow.com

with many of these devices either through their standard device interfaces, APIs, or third-party applications to gather data for processing. Data Aggregation - combines the various types of data gathered from the numerous network devices, etc., into a single data store to be correlated and analyzed. Data Normalization - takes information presented by the various devices and converts the information from different data types into a single, consistent format to be analyzed and reported. Before converting the data, raw copies can be made and stored for forensic and compliance purposes. Event Correlation Event correlation refers to matching or linking several events within a specific timeframe across several systems to identify unusual or suspicious activity. Most SIEM solutions have predefined rule sets to do such work, but, in most cases, companies will likely have to tune these rules often to accommodate their environment, the type of activity that frequently occurs within the environment, and to keep up with present security concerns. Care should be given to realize that implementing too many rules, or by instilling rules that are too complex, will require increased computing resources that may not outweigh the benefits of the implementing a SIEM solution. Nonetheless, this is where the real payoff of SIEM lies. The ability to link seemingly unrelated events, often separated by relatively long time periods, can enable security operations to head off threats already in operation in your organization. Likewise it helps relate events occurring on relatively separated components. These are typically managed by people who have a narrow focus on their responsibilities, and not necessarily awareness of the situation in the aggregate. Alerting Alerting refers to the notification that a specific event has occurred, based on a certain set of conditions being met. Many, though not all SIEM solutions have the ability to alert via text message, email, or via ticket generation, but possess the ability to at least alert an operator monitoring the SIEM management console. Having such functionality greatly assists in the rapid acknowledgement of an issue, and enables IT professionals to be more proactive, to make important decisions, and react quickly to prevent a possibly dangerous situation. Reporting Compliance calls for a robust reporting capability. Current SIEM solutions deliver accordingly, by providing custom and standard user-friendly reporting, adhering to PCI DSS, Sarbanes-Oxley, and other industry standards. Investigative Purposes - A SIEM solution supports investigative purposes by providing the ability to generate highly specialized, granular queries, as well as access raw log files and other data. This can be of great assistance to investigative experts and others when trying to locate and preserve sensitive data as evidence. Central Management - All SIEM solutions provide for a central management console to monitor real-time information and events. Analysis, reporting, and data manipulation can also be achieved through the console. 5 wes.lambert@intigrow.com

How Can Your Business Benefit? Greater Value More effective use of organizational resources means lower costs of important functions the ultimate goal of any company. With the use of a SIEM solution, IT security professionals can greatly increase their effectiveness. The power of such a system allows the entire IT organization to focus on more valuable tasks. Additionally, by increasing the effectiveness of existing security investments, there is less risk of slowed IT systems performance and outages due to security breaches and malware, possibly reducing the need for additional spend for computing resources. This is a key business value SIEM delivers. Reduced Operational Costs By implementing a single SIEM solution, a company can reduce the number of independent log management and analysis systems already in place, thus reducing purchase and maintenance costs associated with each. Associated labor and data storage-which can become considerable, are also reduced. Increased Likelihood of Compliance The advanced reporting available within a SIEM solution provides organizations with the ability to prove compliance in a particular area when audited. A key value delivered by this is reduced labor to meet compliance audits, as relevant reports are more easily made. Early Detection Earlier detection of potentially serious threats greatly reduces the risk of a catastrophic event, and enables security professionals to be more prepared and more effective at intercepting malicious activity, preventing irreparable damage to the organization. This can be helpful in reaching top-line business goals. Broader Support A SIEM solution requires teams across an organization to evaluate alerts, exchange reports, and make appropriate decisions regarding incidents indicated by the SIEM system. This alludes to the fact that professionals from several different organizations need to cooperate with one another to achieve a final desired result, reducing the traditional silo ing of many organization s IT resources. Ultimately, this provides for a more knowledgeable, and more fluid overall IT service, with the ability to adapt and address potentially dangerous situations appropriately, and not just route a service ticket back and forth from one queue to another. Risks While there are many advantages to such a solution, there are risks to bear in mind when investigating the idea of a SIEM implementation: Initially, one must consider the rate and volume of log data to be processed by the solution, and plan to scale deployment accordingly. Failure to do so could result in inaccurate reports, and the failure to detect actual malicious activity. If a company has not defined appropriate processes to respond to detected events, or these processes are not carried out, compliance violations, inaccurate reporting, data loss, and the previously mentioned scenarios could occur. An ideal time to look at SIEM is in anticipation of an information 6 wes.lambert@intigrow.com

security audit, such as PCI, network security assessment, or when assessing your IT security roadmap. Events like these present an opportunity to examine security processes. Further, doing so before an audit reduces planning risks because typically, there is a calmer work atmosphere. Finally, all of this could also occur as a result of faulty configuration of the SIEM solution tuning, failing to provided adequate resources to manage the solution (IT professionals), as well as inconsistent time synchronization. It is important all of these aspects of SIEM deployment and maintenance are addressed to ensure for a successful implementation and life of the solution. Conclusion There are a few risks to consider. By taking the time to plan and structure the deployment appropriately, and developing an effective maintenance plan, the implementation of a SIEM solution will prove to be a critical asset to a company. Our times demand this capability. Any organization that would like to enter new markets or channels more confidently would do well to take a closer look at SIEM. SIEM helps security operations to Pursue new initiatives Protect the business on-line brand Reduce the risk of non-compliance Reduce operational costs Enhance forensic reporting capabilities Most importantly, SIEM, or situational awareness, provides you the ability to detect actual malicious activity early on and over time, as most advanced persistent threats act slowly over time. SIEM will give you greater value from existing security investments, all while gaining broader organizational support in regard to risk and security operations. A SIEM platform is a wise addition to your existing security infrastructure. 7 wes.lambert@intigrow.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information