Lead Image © Sergey Nivens, 123RF.com
Set up and operate security monitoring throughout the enterprise
Seeing Eye
Everyday, IT operations generate a myriad of data in which much security-relevant information is hidden. However, it is impossible to extract any meaningful information from this flood of data manually. Security Information and Event Management (SIEM) systems therefore are designed to give administrators improved insights into the IT security status across an organization. This can only work if the people responsible for IT observe several important basic rules when designing the SIEM system and the sensor architecture. In this article, we introduce readers to the fundamental points to be considered when choosing a SIEM system and designing its interaction with data sources and downstream systems.
Well-organized monitoring does not just cover classic indicators such as availability, use levels, and service and system response times; it also reveals the current status quo in terms of IT security. An important precondition is that security-relevant logfile entries from applications and dedicated security components, such as Intrusion Detection Systems (IDSs), are centrally collated, correlated, and holistically evaluated. SIEM systems specialize in performing this task, and several open source and commercial tools have asserted themselves in this field.
Important Selection Criteria
As with other monitoring tools, functionality, scalability, and cost are the three obvious criteria for selecting a SIEM product. In terms of functionality, the products mainly differ in terms of features whose usefulness and necessity should be investigated within the context of your own application scenario. Unfortunately, this rule also applies to missing features: For example, pervasive support for IPv6 is still rare even nearing the end of 2015.
Scalability is typically measured as the number of security messages per second that the SIEM can field and process. Some open source and community editions
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Extended detection and response in networks, endpoint devices, and the cloud
Extended detection and response (XDR) integrates security functions across endpoint devices and networks. But is XDR the only integrated approach to cybersecurity challenges? We investigate the new technology. -
Installing and operating the Graylog SIEM solution
Graylog security information and event management combines real-time monitoring and immediate notification of rule violations with long-term archiving for analysis and reporting. -
Cloud security with AWS GuardDuty
AWS GuardDuty uses machine learning and threat intelligence to identify malicious activity for continuous security monitoring in the cloud. -
Open Source Security Information and Event Management system
Systems, network, and security professionals face a big problem managing disparate security data from a variety of sources. OSSIM gives IT security professionals the capacity to cut through the noise and gain wisdom and foresight in defending and managing their networks. -
Export and analyze Azure AD sign-in and audit logs
The relevant sign-in and audit logs in Azure Active Directory can be exported to external data sources to provide not only long-term archiving, but also the freedom to analyze the stored data.