Security Information Events Manager

Software designed to manage security data inputs and provide reporting and alerting.

The core function of SIEM tools are to collect and correlate data from network sensors and appliance/host/app logs, from:

Windows hosts
Linux hosts
Network switches, routers, firewalls
IDS sensors
packet sniffers
vulnerability scanners
malware scanners
DLP systems

Types of Data Collection

Agent-based: Install an agent service on each host that needs to be monitored. The host system itself filters, aggregates, and normalized the relevant data and sends it over to the SIEM server for analysis and storage. RAM usage spans from 50-500mb, depending on the amount of collecting and the general activity of the host system.

Listener/Collectors: Hosts are configured to push log changes to the SIEM server. Like agent-based, a background process monitors selected log files and syncs them to the SIEM server, using some variant of Syslog.

Sensors: The SIEM might collect packet captures and traffic flow data from sniffers. A sniffer can record network data using either a switch's mirror port functionality or some tap on the network media.

Alerting

After data has been ~~mined~~ acquired, the SIEM can implement alerting, reporting, or archiving the activities of the monitored systems. This requires correlation rules, which is a fancy term for boolean expressions that is used only in the context of SIEM. You also link SIEM systems with threat intelligence feeds, which connect possible active threats with known threat actor indicators, like specific IP addresses and domain names.

Each alert will be dealt with using the process of analysis, containment, eradication, and recovery. However, there are two special steps (for some reason) that need special attention:

Validation (verify how the alert is indeed a true positive)
Quarantine (isolate the network address, host computer, or file causing the alert)

Reporting

Provide insight into the security system's status by presenting activity in funny images, like graphs and numbers.

High level summaries for the executives that don't know what's going on
Manager reports with more detailed information for the people whose jobs it is to know what's going on
Compliance reports so the police don't bust down my office doors

Actual stuff includes:

Authentication data (failed logins, file audits)
Hosts with missing patches and/or configuration vulnerabilities
Privileged user account anomalies (out of hours use, excessive resource requests, etc)
Trend reporting (key metrics)

Archiving

Store log files. End of story.

Alert Tuning

Choose which types of logs and alerts of what severity you want to get an email or mobile push notification about.

Sophisticated Attacks

Proliferation of Attack Software

Attack Scale and Velocity

Threat Actors

General Attack Strategies

General Defense Strategies

Attack Surfaces

Social Engineering

Malware

Overview of Cryptography

Asymmetric Encryption

Stream Ciphers

Block Ciphers

Blockchain

Cryptographic Attacks

GNU Privacy Guard

Smart Card Authentication

Linux Group Commands

Network Federation

NAC Agents

NAC Process

Implementing Switch Security

Physical Security

Reconnaissance

Vulnerability Types

Vulnerability Scanning

Security Information Events Manager

Data Loss Prevention

Wireless Access Methods

Web App Attacks

Waterfall Development Life Cycle

Agile Software Development Model

Software Sandboxing

Static Code Analysis

Secure Coding Techniques

Code Signing

Secure Cookies

Securing Embedded Systems

Email Security

Governance and Accountability

Data Governance Roles

Third Party Vendors

Rules of Engagement

Vendor Assessment

Security Information Events Manager

Software designed to manage security data inputs and provide reporting and alerting.

Types of Data Collection

Alerting

Reporting

Archiving

Alert Tuning