SIEM software products and services combine security information management (SIM) and security event management (SEM).
They provide real-time analysis of security alerts generated by network hardware and applications.
Vendors sell SIEM as software, as appliances or as managed services; these products are also used to log security data and generate reports for compliance purposes.
Also Read: Indicator Of Attack(IoAs) And Activities – SOC/SIEM – A Detailed Explanation
You may have noticed the word “Co-Relation” Yes, for the question How the SIEM works, the one-stop answer is a co-relation. But not that alone of course.
Basically, a SIEM tool collects logs from devices present in the Organization’s infrastructure. Some solutions also collect NetFlow and even raw packets.
With the collected data(mainly logs, packets), the tool provides an insight into the happenings of the network.
It provides data for each event occurring in the network and thus acts as a complete centralized security monitoring system.
In addition to this, the SIEM tool can be configured to detect a specific incident. For example, a user is trying to log in to an AD server. For the first 3 times the authentication failed and the 4th time it succeeded. Now, this is an incident to look upon.
There are many possibilities. Maybe a person is trying to guess the password of another user and got it right, which is a breach.
Or maybe if the user forgot his password but got it right at the end and so on. This is where co-relation comes in.
For such a case, a co-relation rule can be made in such a way that, If an authentication failure event is happening 3 times consecutively followed by success in a specific time period, then alert pops up.
This can be further investigated further by analyzing the logs from the respective machines. So my definition of co-relation is: “ It is the rule which aggregates events into an incident which is defined by specific application or scenario.”
Logs are fetched to the SIEM in two different ways. Agent-based & Non-Agent based. In the agent-based approach, a log pushing agent is installed in the client machine from which the logs are collected.
Then this agent is configured to forward logs into the solution. In the latter type, the client system sends logs on its own using a service like Syslog or Windows Event Collector service, etc.
There are also specific applications & devices which can be integrated through a series of vendor-specific procedures.
Well, now you know that the logs from different devices are being forwarded into the SIEM.
Take an example: A port scan is initiated against a specific machine. In such a case, the machine would generate a lot of unusual logs.
Analyzing the logs, it will be clear that a number of connection failures are occurring to different ports in regular intervals.
Seeing packet information if possible, we can detect the SYN requests being sent from the same IP to the same IP but to different ports in regular intervals.
That concludes that somebody initiated an SYN scan against our asset.
The SIEM automates this process and raises alerts. Different solutions do this in different ways but produce same results.
Critical Control 11: Account Monitoring and Control
Abnormal account activity can only be detected when compared to a baseline of
known good activity.
The baseline to meet this control should be recorded by the
SIEM; and, as future snapshots or baselines are recorded, they can be compared to the
approved baseline in the SIEM.
Critical Control 12: Malware Defenses
Malware that is discovered should be recorded according to this control. Centralized
anti-malware tools should report their findings to a SIEM, which correlates against
system and vulnerability data to determine which systems pose a greater risk due to the malware discovered on that system
Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
if a system has a running port, protocol, or service that has not been authorized, it should also be reported to a central source where these vulnerabilities can be correlated with other events concerning a particular system.
SIEMs can monitor log data to detect traffic over restricted ports, protocols, and services. Organizations can use these controls to decide which ports and services are useful for business, which are not, and which types of traffic and ports to limit
Critical Control 14: Wireless Device Control
Device misconfigurations and wireless intrusions should be reported to a central
database for incident handling purposes.
A SIEM is a perfect candidate to consolidate this information and use it for correlation or detection of threats to wireless
infrastructure
Critical Control 15: Data Loss Prevention
data loss rule violations, like CCE discoveries, should also be reported to one central source such as a SIEM, which can correlate data loss events with inventory or asset information as well as other system and user activity to detect complex breaches of sensitive data.
Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…
IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…
The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…
The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
View Comments
i'd love to see a follow up post to this.....how SIEM tools interact with other installed security software and hard ware to automate and simplify operations.
Hi charles..we are working on towards it . we will post it very soon for sure...
SIEM vs Big Data