Security+: Technologies and Tools – SIEM

Introduction

Organizations today use various network security devices and tools, such as firewalls and adaptive security appliances, to collect real-time data related to their enterprise. All of this network security data must be analyzed, and potentially millions of network security alerts can make that sound like a daunting task. Thankfully, Security Information and Event Management (SIEM) is a Centralized logging service that can help an organization do just that.

The rise of SIEM incorporation into the network security strategies for organizations has led to it being included in the CompTIA Security+ SYO-501 certification exam. With that said, this article will examine SIEM from the perspective of the Security+ exam.

SIEM Outline

The subtopics of SIEM that candidates will have to demonstrate competency with are:

  1. Aggregation
  2. Correlation
  3. Automated alerting and triggers
  4. Time synchronization
  5. Event deduplication
  6. Logs/WORM

Aggregation

Aggregation in this context is referring to the gathering of log and event data from the different network security devices used on the network. Collecting data from all these different sources is essential to the function of SIEM. This data is used by SIEM to create a picture of the health and security (including vulnerabilities and attacks) of the infrastructure of the network and then alert the system administrator if an incident should arise.

Correlation

What does SIEM do with all this data that it collects you may ask.   SIEM can perform Correlation analysis on all this data that is gathered through Aggregation. This correlation analysis enables SIEM to look for similarities, repeating occurrences, and patterns of the event data. Effective use of this SIEM feature allows system administrators to better notice repeated breaches, attempted breaches, trends toward failure, and other recurring or escalating incidents.

Automated Alerting and Triggers

SIEM can take an amount of data comparable to a fire hose and shrink (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/MCqMRy7aF1M/