Ingredients for successful SIEM deployment.

Just like we need multiple handpicked ingredients for making a delicious butter chicken,in the same manner, we require multiple ingredients for an awesome SIEM deployment .

The soul of SIEM is log collection and the heart is knowledge collection .

Therefore in order to function like Hulk, and think like Captain America,SIEM  require logs and knowledge from these systems :

LOGS AND ALERTS:

Security Controls 

• Intrusion Detection 
• Endpoint Security (Antivirus, etc) 
• Data Loss Prevention 
• VPN Concentrators 
• Web Filters
•  Honeypots
•  Firewalls 

Infrastructure

•  Routers 
•  Switches
•  Domain Controllers 
•  Wireless Access Points
•  Application Servers 
•  Databases 
•  Intranet Applications 

KNOWLEDGE:

Infrastructure Information 

• Configuration 
• Locations 
• Owners 
• Network Maps 
• Vulnerability Reports 
• Software Inventory 

Business Information 

• Business Process Mappings 
• Points of Contact 
• Partner Information

Check the below diagram for a visual understand

Courtesy :www.alienvault.com

  

Who gave that name ? SIEM!!

Just like human beings ,the term SIEM  also evolved from many other terms.

•  LMS  “Log Management System” – a system that collects and stores log files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually.

• SLM /SEM  “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others.

• SIM  “Security Information Management” – an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved.

• SEC  “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen.

• SIEM  “Security Information and Event Management” – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We’ll use the term SIEM for the rest of this presentation.

Now you got that ;)

Courtesy : www.alienvault.com

What the heck is SIEM?

Layman's SIEM defination
Security Information and Event Management (SIEM) is about looking at your network through a larger lens than can be provided by a single security control or information source.