SBN

Modernizing SIEM with Managed Detection and Response

When looking at monitoring enterprise security, many companies will consider a centralized Security Information and Event Management System (SIEM). Popular names in SIEM, such as ArcSight, Splunk, IBM QRadar, Elasticsearch and others, mention capabilities like event collection from virtually any source.  Such systems attempt to find security-related events using rules to examine logs.  At the root of this is the idea that logs such as the Windows Event Log contain security-related information.  In this in-depth article I compare the events, the rules and the value of performing SIEM with such (traditional) technologies, to IntelliGO Managed Detection and Response. Be warned, this will be both technical and detailed.

Windows Events

A primary source of information is the Windows Event Log, which is a debugging tool used by Windows administrators to log errors in applications or the operating system. Such logs fall into five distinct categories. While each has a role in debugging windows systems, and is ingested by a traditional SIEM, not all of them contain relevant security information.


Event type

Description

Error

An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged.

Warning

An event that is not necessarily significant but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event.

Information

An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: https://www.intelligonetworks.com/blog/modernizing-siem-with-managed-detection-and-response