( SIEM )Security Information and Event Management – A Detailed Explanation on SIEM

Many of Organizations making Security as simple as with SIEM technology. Today we explain you, what exactly SIEM is and how it works.

SIEM software products and services are combined with (SIM) security information management and (SEM) security event management. They provide real-time analysis of security alerts generated by any network hardware and applications.

Vendors sell SIEM as software, as appliances or as managed services, these products are also used to log security data and generate reports for compliance purposes.

Below picture shows you the architecture of SIEM

Although the industry has settled on the term ‘SIEM’ as the catch-all term for this type of security software, it evolved from several different (but complementary) technologies that came before it.

Systems of SIEM

LMS : ( Log Management System ) A system that collects and stores log files from any End point machines, Network Hardware, Applications, and etc into a single location, allowing centralized access to logs instead of accessing them from each system individually.

SLM /SEM : ( Security Log/Event Management ) – Marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others.

SIM ( Security Information Management ) An Asset Management system, but with features to join security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved.

SEC ( Security Event Correlation ) – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a particular sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen.

SIEM ( Security Information and Event Management ) – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We’ll use the term SIEM for the rest of this presentation.

How do SIEM works?

Basically, a SIEM tool collects logs from devices present in the Organization’s infrastructure. Some solutions also collect NetFlow and even raw packets. With the collected data (mainly logs, packets), the tool provides an insight into the happenings of the network.

It provides data for each event occurring in the network and thus acts as a complete centralized security monitoring system.

In addition to this, the SIEM tool can be configured to detect specific incident. For example, a user is trying to log in to an AD server. For first 3 times the authentication failed and the 4th time it succeeded. Now this is an incident to look up on.

There are many possibilities. Maybe a person is trying to guess the password of another user and got it right, which is a breach. Or maybe if the user forgot his password but got it right at the end and so on. This is where co-relation comes in.

For such a case, a co-relation rule can be made in such a way that, If an authentication failure event is happening 3 times consecutively followed by a success in a specific time period, then alert pops up.

This can be further investigated further by analyzing the logs from respective machines. So my definition of co-relation is: “ It is the rule which aggregates events into an incident which is defined by specific application or scenario.”

What Logs can be tracked

• Normal activity

• Error conditions

• Configuration changes

• Policy changes

• User access to assets

• Incident alerts

• Unauthorized use of resources

• Non-privileged access to files

• User behavior patterns

• Clearing of sensitive data

• Access to audit trails

Logs are fetched to the SIEM in two different ways. Agent-based & Non-Agent based. In agent-based approach, a log pushing agent in installed in the client machine from which the logs are collected.

Then this agent is configured to forward logs into the solution. In the later type, the client system sends logs on it’s own using a service like Syslog or Windows Event Collector service etc.

There are also specific applications & devices which can be integrated through a series of vendor specific procedures.

How exactly would the SIEM raise an alert?

Well, now you know that the logs from different devices are being forwarded into the SIEM. Take an example: A port scan is initiated against a specific machine. In such a case, the machine would generate a lot of unusual logs.

Analyzing the logs, it will be clear that a number of connection failures are occurring to different ports in regular intervals.

Seeing packet information if possible, we can detect the SYN requests being sent from the same IP to the same IP but to different ports in regular intervals. That concludes that somebody initiated an SYN scan against our asset.

The SIEM automates this process and raises alerts. Different solutions do this in different ways but produce same results.

Note : Content taken from Gbhakckers.com and google