SIEM (Security Intelligence & Event Management)
How do I know I’m compliant before I’m audited?
How do I proactively discover attacks from hackers?
Need coverage for both on-premise and cloud based systems
SIEM = event management, log management, anomaly detection, incident forensics and configuration and vulnerability management
Security Intelligence platform provides a unified architecture for collecting, storing, analysing and querying log, threat, vulnerability and risk related data. As a result, operators, analysts and auditors using any of the modules of the Security Intelligence Platform benefit from:
- Unified collection, aggregation and analysis architecture for application logs, security events, vulnerability data, IAM data, configuration files and network flow telemetry.
- A common platform for all searching, filtering, rule writing, and reporting functions.
- A single user interface for all log management, risk modelling, vulnerability prioritisation, incident detection and impact analysis tasks.
With numerous solutions on the market with an array of features, what should enterprise organisations look for in a SIEM solution?
SIEM solution features & benefits
> Real-time analysis of security alerts> A single architecture for analysing log, flow, vulnerability, user and asset data> Use SIEM to obtain event, context and flow data> Proactive top level view into security risks and threats |
> Monitor and maintain AUP (Acceptable Usage Policies) through analysing data and attack patterns> Simplify management – especially for Big Data> Windows, Linux/Unix, Cisco and network device event and log collection |
> Centralised network & security systems information platform for real-time visibility
For threat detection and prioritisation, delivering surveillance throughout the entire IT infrastructure.> Comprehensive Event Forensics and Analytics
Identify and isolate the root cause of a threat or suspicious activity, and conduct comprehensive forensic analysis to determine what happened before, during or after the incident.> SIEM collects logs, analyses, searches, reports, and archives – all from a central location
Windows systems, Unix/Linux systems, Applications, Databases, Routers, Switches and other Syslog devices) at a central place.> Log Data
Make sense of all your log data> Automate the process of managing terabytes of machine-generated logs
> Log collection
Logs need to be collected across the entirety of the IT environment (network security appliances, servers, databases, etc.) and correlated in real-time in order to detect zero-day threats and other suspicious behaviour. Effective log collection also entails the ability to quickly and easily gain access to historical log data, ideally including the ability to drill down into raw log data.> Raw log search
Security incident miningSearch and identify security events within raw log data. Useful for forensic analysis.
> Priortise security events
Reduce log noise and system logs, to identify and prioritise security vulnerabilities.Proactive Monitoring
> Network traffic and bandwidth monitoring
> Monitor and notifications on bandwidth spikes
> Monitor the internet overuse or misuse by the employees in your organisation
> Data access monitoring
Because the ultimate goal of many targeted attacks is the theft of data, it makes sense to apply security monitoring to data access.> Application activity monitoring
The application layer is a popular attack path for a number of reasons. Web application vulnerabilities can be discovered and exploited from the outside, and the vulnerabilities tend to exist for a long time (due to long remediation cycles). Application credentials are easy to steal from users that are victims of spear phishing attacks or from users that access corporate applications from unmanaged (and corrupted) privately owned devices.- Detect misuse of application on the network
- Monitor unauthorised access to critical application, either from internal user or attacks.
- Decrease the risk of data leakage by monitoring information coming from P2P or instant messaging applications
- Ensure availability of business-critical systems by limiting bandwidth from non-business applications.
Incident Response
> Vulnerability scan results
- Provides a prioitised list of vulnerabilities to better assess which systems are most vulnerable to attack.
- Centralised policy monitoring delivers improved compliance verification.
- Advanced vulnerability modelling, simulation, and visualisation provides before, during and after assessment of vulnerability risks.
> Automates incident response
Set them to run automatically, without manual intervention, when an incident triggers a security alert.> Real-time alerts
Send alerts in real-time about zero day attacks, traffic-spikes, network aberrations and threats for more accurate threat identification and quicker response times.SIEM Reports
Central reporting on all security events, viruses, network attacks, spam and more...> Produce compliance ready audit report
> Change management reports to identify resource access exceptions
Detect abnormal systems changes. For example, a DBA activity report might show that a production support DBA has made a change to a database configuration or has initiated a command that accesses a large number of database records. The domain expert needs to determine if a change was approved for this system and if the observed activity "looks like" maintenance.> Identity / role context in user activity monitoring reports
There is also a need to incorporate user role context into user activity monitoring and resource access reports, so that exceptions can be identified, based on the roles of individuals in the broad population of application users. For example - a user with a role of "customer support" might have no business accessing data on a payment processing system. Role context in an activity report would make it much more likely that someone could spot the problem.> Network security configuration monitoring & reporting
- Detailed configuration audit helps improve consistency of firewall rules.
- Security-focused network topology enables automated monitoring of configuration rules.
- Configuration change notification quickly alerts risky or out-of-compliance configuration.
> Network activity monitoring & reporting
- Advanced monitoring and analysis of network activity features quickly flag out-of-policy traffic.
- Fast and efficient search of network activity greatly reduces forensics effort.
- Intuitive visualisation tool provides interactive analysis of network activity.
Analyse your data
> Network / security events
- Analysis of firewall allow/deny events to assess of policy effectiveness.
- Automated audit of device configuration, after configuration change events, ensures record of the most up-to-date configuration.
- Advanced asset database leverages information from a wide variety of network/security events and improves accuracy of results.
Modelling and Simulation of Network and Security Events
- Provide unique, risk focused, graphical representations of the network.
- Visualise network and security teams a revolutionary investigative capacity by providing before, during and after vulnerability information.
Managed SIEM services
Set of network security intelligence services, including:
|
|
Also See
> Security and network configuration & change management
Contact SecureNet Consulting today for solutions advise, professional services, engineering and proof of concept resources for security information & event management (SIEM) solutions.
 |  |
 |  |
 |  |
