Question

Type a 2-3-page paper discussing your opinion on whether you believe organizations should implement SEIMs on their networks.

Answer 1

Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system.
The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. For example, when a potential issue is detected, a SIEM system might log additional information, generate an alert and instruct other security controls to stop an activity's progress.At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM systems have evolved to include user and entity behavior analytics (UEBA) and security orchestration, automation and response (SOAR).

Payment Card Industry Data Security Standard (PCIDSS) compliance originally drove SIEM adoption in large enterprises, but concerns over advanced persistent threats (APTs) have led smaller organizations to look at the benefits SIEM managed security service providers (MSSPs) can offer. Being able to look at all security-related data from a single point of view makes it easier for organizations of all sizes to spot patterns that are out of the ordinary.

SIEM systems work by deploying multiple collection agent in a hierarchical manner to gather security-related events from end-user devices, servers and network equipment, as well as specialized security equipment, such as firewalls, antivirus or intrusion prevention systems (IPSs). The collectors forward events to a centralised management console, where security analysts sift through the noise, connecting the dots and prioritizing security incidents.

In some systems, preprocessing may happen at edge collectors, with only certain events being passed through to a centralised management node. In this way, the volume of information being communicated and stored can be reduced. Although advancements in machine learning are helping systems to flag anomalies more accurately, analysts must still provide feedback, continuously educating the system about the environment.

How does SIEM work?

SIEM tools work by gathering event and log data created by host systems, applications and security devices, such as antivirus filters and firewalls, throughout a company's infrastructure and bringing that data together on a centralized platform. The SIEM tools identify and sort the data into such categories as successful and failed logins, malware activity and other likely malicious activity.

The SIEM software then generates security alerts when it identifies potential security issues. Using a set of predefined rules, organizations can set these alerts as low or high priority.

For instance, a user account that generates 25 failed login attempts in 25 minutes could be flagged as suspicious but still be set at a lower priority because the login attempts were probably made by the user who had probably forgotten his login information.

However, a user account that generates 130 failed login attempts in five minutes would be flagged as a high-priority event because it's most likely a brute-force attack in progress.

Why is SIEM important?

SIEM is important because it makes it easier for enterprises to manage security by filtering massive amounts of security data and prioritizing the security alerts the software generates.

SIEM software enables organizations to detect incidents that may otherwise go undetected. The software analyzes the log entries to identify signs of malicious activity. In addition, since the system gathers events from different sources across the network, it can recreate the timeline of an attack, enabling a company to determine the nature of the attack and its impact on the business.

A SIEM system can also help an organization meet compliance requirements by automatically generating reports that include all the logged security events among these sources. Without SIEM software, the company would have to gather log data and compile the reports manually.

A SIEM system also enhances incident management by enabling the company's security team to uncover the route an attack takes across the network, identify the sources that were compromised and provide the automated tools to prevent the attacks in progress.

Benefits of SIEM

Some of the benefits of SIEM include the following:

• shortens the time it takes to identify threats significantly, minimizing the damage from those threats;
• offers a holistic view of an organization's information security environment, making it easier to gather and analyze security information to keep systems safe -- all of an organization's data goes into a centralized repository where it is stored and easily accessible;
• can be used by companies for a variety of use cases that revolve around data or logs, including security programs, audit and compliance reporting, help desk and network troubleshooting;
• supports large amounts of data so organizations can continue to scale out and increase their data;
• provides threat detection and security alerts;
• and can perform detailed forensic analysis in the event of major security breaches.

Even a decade later, SIEMs are still a vocal point of network security design. This is because of their ability to be used for different things. For instance, SIEMs can be used for security monitoring. SIEMs can help because of their ability to provide real-time monitoring of current network systems, users and incidents. It will also generate and record it’s monitoring activities for accounting purposes. It also provides alerts about events to security personnel. The alert will tell them where the event occurred and what it is. SIEMs can also be used for advanced threat detection. Advanced threats are those designed to steal information over a length of time. This malware is usually persistent remote access. SIEM is designed to detect these attacks. Over time, a SIEM can also be used data retention. Data retention is what defines policies of persistent data and records and management. Persistent data is data that is not likely to be modified. So, SIEMs can group policies and persistent data together so that it can enforce users to abide by certain rules when interacting with certain pieces of data.

So by seeing all the above benefits of having SIEM in a network of organisations is helpful for the user of the organizations. So I believe in the organisation should implement the SIEM on their networks.