Security+: Technologies and Tools - SIEM [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Organizations today use various network security devices and tools, such as firewalls and adaptive security appliances, to collect real-time data related to their enterprise. All of this network security data must be analyzed, and potentially millions of network security alerts can make that sound like a daunting task. Thankfully, Security Information and Event Management (SIEM) is a Centralized logging service that can help an organization do just that.
The rise of SIEM incorporation into the network security strategies for organizations has led to it being included in the CompTIA Security+ SYO-501 certification exam. With that said, this article will examine SIEM from the perspective of the Security+ exam.
The subtopics of SIEM that candidates will have to demonstrate competency with are:
- Automated alerting and triggers
- Time synchronization
- Event deduplication
Aggregation in this context is referring to the gathering of log and event data from the different network security devices used on the network. Collecting data from all these different sources is essential to the function of SIEM. This data is used by SIEM to create a picture of the health and security (including vulnerabilities and attacks) of the infrastructure of the network and then alert the system administrator if an incident should arise.
What does SIEM do with all this data that it collects you may ask. SIEM can perform Correlation analysis on all this data that is gathered through Aggregation. This correlation analysis enables SIEM to look for similarities, repeating occurrences, and patterns of the event data. Effective use of this SIEM feature allows system administrators to better notice repeated breaches, attempted breaches, trends toward failure, and other recurring or escalating incidents.
Automated Alerting and Triggers
SIEM can take an amount of data comparable to a fire hose and shrink it down to the mere trickle that you are looking for. This data can then be run through rules that the system administrator creates which then fires off notification alerts to the system administrator’s email informing of said events. The ability to notify when alerts occur is a key component of SIEM.
I can say that in the organization I work for, the SIEM collects millions of events all day long and I would literally have to spend my entire day analyzing this data. Fortunately, I have deployed a SIEM that allows me to create a tight regimen of security event rules that will inform me whenever specified events happen on our network the second they occur, which is truly invaluable. It allows me to know in real time when certain events occur and then I can respond accordingly in a timely fashion.
Any well-managed network will have its time synchronized throughout the clocks on all network devices. Why is this you may ask? Quite frankly, time is one of the most important things when it comes to the analysis of log information collected from security devices. You want to know exactly when events occur with precise, synchronized time because analyzing and recreating events would be virtually impossible.
In the network security environment that I work in we have never had a time synchronization issue, but time does play a critical role for me because time is sometimes the first thing I look at when correlating event data. If I did not know what time an event occurred with precision, then I would just be spinning my wheels in the mud so to speak.
The load or level of data collected by a SIEM has the potential to become a major burden on network storage capacity. This is because there are potentially millions of events that occur daily, and a large proportion of those events may just be duplicate events that occur thousands of times. Multiple recordings of the same event cause this by multiple network security devices and by potential latency, time synchronization, or processing load issues on the network. SIEM can perform Event Deduplication by merging exact duplicates of the same event into one. This translates into less data being committed to network storage.
Logs are used by network devices (including servers, firewalls, etc.) to record events which are retained for future analysis as well as to maintain compliance with regulations (such as HIPAA). These logs need to be protected from change, whether accidental or intentional and malicious. The primary method of log change Centralized logging services such as SIEM can help safeguard against log changes is by creating multiple duplicate copies of a log and storing them in different network locations. Using this method keeps the log in its original location but just stores the log on other servers on the network.
Another method that SIEM can use to this end is by saving the log to a WORM (write-once, read-many) storage device. WORM devices function by prohibiting the change of any data that has been saved to it. Optical disks and ROM chips are some of the most common examples of WORMS in use today.