SIEM 2.1 Flashcards
What is SIEM
Security Information and Event Management
What does it do?
Logs security events and information. Gives real-time information such as security alerts. Logs aggregation and long-term storage. Usually includes advance reporting features. Helps data correlation to link diverse data types. Gathers details after an even for forensic analysis.
Time Synchronization
Each device connected to the network has its own clock. If they are not in sync, this causes problems for security logging and forensics. In order to deal with this, all the devices will use Network Time Protocol (NTP). The accuracy of the devices will be approximately 1ms apart.
Syslog
Standardized method for message logging. Important for transferring log data. Usually there is a central logging receiver integrated into the SIEM. Requires a MASSIVE amount of disk space. Uses WORM drive technology. WORM = Write Once Read Many. You can never change anything on the device after it is written.
Event de-duplication
When an event occurs, you could have what is called an “event storm”. The event log can be overwhelmed with duplicate messages from multiple devices. The SIEM will be able to organize the messages in a way that reduces noise to the reader. Instead of writing “disconnected” 100 times, it will say “disconnected 100 times”.
Automated Alerting and Triggers
You will be receiving a constant information flow - Important metrics will be in the incoming logs. Important statistics will be tracked, alerts will be sent when problems are found. You will be able to create triggers to automate responses such as open a ticket or even reboot a devices.