Home » Security Bloggers Network » Security+: Technologies and Tools – SIEM

Security+: Technologies and Tools – SIEM

by Greg Belding on June 27, 2018

Introduction

Organizations today use various network security devices and tools, such as firewalls and adaptive security appliances, to collect real-time data related to their enterprise. All of this network security data must be analyzed, and potentially millions of network security alerts can make that sound like a daunting task. Thankfully, Security Information and Event Management (SIEM) is a Centralized logging service that can help an organization do just that.

The rise of SIEM incorporation into the network security strategies for organizations has led to it being included in the CompTIA Security+ SYO-501 certification exam. With that said, this article will examine SIEM from the perspective of the Security+ exam.

SIEM Outline

The subtopics of SIEM that candidates will have to demonstrate competency with are:

Aggregation
Correlation
Automated alerting and triggers
Time synchronization
Event deduplication
Logs/WORM

Aggregation

Aggregation in this context is referring to the gathering of log and event data from the different network security devices used on the network. Collecting data from all these different sources is essential to the function of SIEM. This data is used by SIEM to create a picture of the health and security (including vulnerabilities and attacks) of the infrastructure of the network and then alert the system administrator if an incident should arise.

Correlation

What does SIEM do with all this data that it collects you may ask. SIEM can perform Correlation analysis on all this data that is gathered through Aggregation. This correlation analysis enables SIEM to look for similarities, repeating occurrences, and patterns of the event data. Effective use of this SIEM feature allows system administrators to better notice repeated breaches, attempted breaches, trends toward failure, and other recurring or escalating incidents.