Security incident response efforts require the correlation of information from many different sources. Security information and event management systems serve as a centralized collection point for log entries and perform correlation of events across diverse systems. In this video, learn about the important role that SIEMs play in an organization's cybersecurity program.
- [Narrator] You probably know that log files are an important security control allowing IT professionals to detect suspicious activity taking place on systems, networks, and applications. However, if you're like most security professionals, you simply don't have the time to do a thorough job of reviewing those logs manually. There are simply far too many log entries generated by systems each day, and trudging through them would be tedious, mind-numbing work. Fortunately, computers are very good at tedious work, and most organizations now go beyond the simple reporting and altering mechanisms that I discussed earlier and apply artificial intelligence approaches to the problem of security log analysis.
Security information and event management, or SIEM systems, have two major functions on an enterprise network. First, they act as a central secure collection point for log entries. Administrators can figure all of their systems, network devices, and applications to send log records directly to the SIEM, and the SIEM stores them in a secure fashion where they are safe from unauthorized modification and available for analysis. Second, these systems apply artificial intelligence techniques to correlate all of those log entries and detect patterns of potential malicious activity.
The great thing about a SIEM is that it has access to all of the log entries from across the organization. In a hierarchical organization, network engineers might have access to firewall logs, system engineers might have operating system logs, and application administrators may have the application logs. This siloed approach means that attacks may go unnoticed if the signs of the attack are spread across multiple departments. Each administrator may see a piece of the puzzle but can't put the whole picture together.
The SIEM has access to all of the puzzle pieces and performs an activity known as log correlation to recognize combinations of activity that may indicate a security incident. For example, an intrusion detection system might notice the unique signature of an attack in inbound network traffic, triggering an event within the SIEM that pulls together other information. From there, a firewall may note an inbound connection to a web server from an unfriendly country. The web server might report suspicious queries that include signs of a SQL injection attack, the database server might report a large query from a web application that deviates from normal patterns, and a router might report a large flow of information from the database server to a system located on the internet.
In isolation each of these activities may seem innocuous, but when the SIEM puts those pieces together, a pattern of suspicious activity emerges. Security information and event management systems provide security professionals with a valuable tool for the centralized collection and correlation of security event information.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Conducting investigations
- Reporting and documenting incidents
- Continuous security monitoring
- Preventing data loss and theft
- Asset management
- Change management
- Virtualization security
- Security principles: need to know, separation of duties, and more
- Building an incident response program
- Personnel safety and emergency management