Security Essentials, Textbook page 85

Copyright Goodheart-Willcox Co., Inc. 85 Chapter 3 Security Evaluation Security Information and Event Management (SIEM) In a large network that includes multiple servers and systems, it can be extremely difficult to collect event log data, analyze it appropriately, and act on urgent matters quickly. Even with event forwarding, the amount of data collected could make it dif- ficult to locate critical information. To help with these tasks, a security information and event management (SIEM) system can be used. A security information and event management (SIEM) system is a software product that supports organiza- tional security by real-time collecting and compiling log data generated in a network and producing analyzed results and reports. There are many SIEM software products available some are open-source, and others may have limitations on gathering data based on the host operating system. Some of the implementations of SIEM software programs can become quite costly. For this reason, SIEM systems are not common on smaller networks. However, many security companies offset cost by managing the SIEM process remotely. Some popu- lar SIEM programs include SolarWinds, AlienVault, Splunk Enterprise Security, and LogRhythm NetGen SIEM. An SIEM system is a combination of two separate security components: Security Information Management (SIM) and Security Event Management (SEM). SIM sys- tems handle the collection of log files stored centrally for later analysis of the data. SEM products identify, gather, and monitor systems in real-time. SIEM systems com- bine the functionality of each component to take real-time and historical data from network devices and apply analytical rules to identify patterns, threats, and suspi- cious activity. Together, the two components create the blended SIEM product: ■ ■ Security Information Management (SIM) is the practice of automating the collec- tion of event-log data from computer logs and other security devices including firewalls, intrusion detection systems, proxy servers, and antivirus software. The data is then normalized, which is the process of breaking up the fields in raw data, placing them into a standardized format, and combining them into views that are relevant to security administrators. ■ ■ Security Event Management (SEM) automates log collection and performs real- time analysis on data including event correlation to establish relationships between events. By using SEM, threats can be identified and alerts provided in a timely manner. An SIEM system typically provides the following features: ■ ■ Log aggregation. Log aggregation is the automated gathering of log and event data from hosts and network devices throughout the network. This is an important step, as it provides a complete picture of the overall health status of the network. ■ ■ Log Collection. A log collector is a service that assembles logs from various event sources through a network environment. Log collectors are often config- ured on endpoint devices, along with syslog services, to send resulting data to syslog servers. ■ ■ Data input. Data input is the methods used in syslog to collect and record data within logs. One method of data input is to identify each data source such as files, directories, or network inputs. In addition, data inputs can be used to forward TCP or UDP data to a syslog server. 4.3 1.7

Previous Page Next Page

Security Essentials, Textbook Page 85 (99 of 704)

Help