Security information and event management

- [Instructor] Now you know that log files are an important security control because they allow IT professionals to detect suspicious activity taking place on their systems, networks and applications. However, if you're like most security professionals, you simply don't have the time to do a thorough job of reviewing those detailed logs. There are just far too many logs entries generated by systems every day and trudging through them would be tedious, mind-numbing work. Now, fortunately for us, computers are very good at tedious work and most organizations now go beyond the simple reporting and alerting mechanisms that I discussed in the last video and apply artificial intelligence approaches to the problem of security log analysis. Security Information and Event Management, or SIEM systems have two major functions on an enterprise network. First, they act as a central, secure collection point for log entries from a variety of sensors. Administrators configure all of their systems, network devices and applications to send log records directly to the SIEM and the SIEM stores them in a secure fashion where they're safe from unauthorized modification and they're available for analysis. Second, these systems apply artificial intelligence to correlate all those log entries and detect patterns of potentially malicious activity. Now, the great thing about a SIEM is that it has access to all the log entries and alerts from across the organization. In a hierarchical organization, network engineers might have access to firewall logs, system engineers might have operating system logs and application administrators may have application logs. This siloed approach means that attacks may go unnoticed if the signs of the attack are spread across multiple departments. Each administrator may see a pice of the puzzle but they can't put the whole picture together. The SIEM has all of the puzzle pieces and it performs an activity known as log correlation to recognize combinations of activity that may indicate a security incident. For example, an intrusion detection system might notice the unique signature of an attack in inbound network traffic, triggering an event within the SIEM that pulls together other information. From there, a firewall may note an inbound connection to a web server from an unfriendly country. The web server may report suspicious queries that includes signs of a SQL injection attack. The database server might report a large query from a web application that deviates from normal patterns and a router might report a large flow of information from the database server to the internet. In isolation, each of these activities may seem innocuous but when the SIEM puts those pieces together, a pattern of suspicious activity emerges. The SIEM consolidates all of this into dashboards that provide administrators with a centralized view of the network. The dashboard may generate alerts to administrators when unusual activity occurs, facilitate the analysis of trends on the network that might impact security, and offer adjustable sensitivity to tune the frequency and quality of alerts sent to administrators. SOAR platforms go beyond the capability of SIEMs to further automate security operations. Now, the acronym SOAR stands for security, orchestration, automation and response. And you can think of a SOAR platform as a greatly enhanced version of a SIEM. SOAR platforms allow you to not only correlate security information but also to automatically respond to specific circumstances and they do this by facilitating two different types of response. Playbooks are process-focused responses to security events. They may include a combination of activities performed automatically by the SOAR platform, as well as human steps that play an integral role in the process. Playbooks should tie directly to an organization's incidence response policy and procedures. Runbooks are completely automated steps the SOAR platform performs when triggered by an event. This may include gathering additional information for analysis, augmenting log entries, isolating suspect systems and notifying administrators of the activity. Runbooks are meant to execute automatically and quickly to rapidly facilitate a response and aid human investigators.