SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) I
Imagine this: an attacker has breached your organisation's security infrastructure and is determined to steal customer information from your database systems. He navigates to the segment of your network housing the databases and commences a brute force attack to gain access to the databases. He performs several logon attempts on your databases, which are picked up by the Database Activity Monitoring (DAM) solution. These failed logon attempts are all captured by your DAM solution logs, but your security engineers do not notice this attack on time because no specific alert was sent to them.
Enter the SIEM.
"SIEM" is the acronym for Security Information and Event Management. The SIEM is a solution which serves as an aggregator for logs of all the relevant security solution in an organisation. The SIEM receives security logs from different organisational resources and can perform analysis and correlation on these logs to detect cyber-attacks. Some of the devices that send logs to the SIEM include:
- Network Devices,
- Servers,
- Security Solutions,
- Databases,
- Intrusion Detection and Prevention Systems (IDS & IPS) etc.
A major capability of the SIEM (which would expose the database hacker) is the use case (rule) creation feature. Security engineers can create SIEM rules which would cater to different use cases (as relevant to the organisation). These rules alert security engineers when the use case conditions are met. For example, in the database hacker scenario above, the SIEM can be set to send an alert to security engineers on 3 failed database logons in 10 seconds. Since the DAM logs would be piped to the SIEM, the SIEM can send out this alert once the hacker commences his brute force attack.
The SIEM is the key solution in Security Operating Centers (SOC) and, together with other security solutions, enables organisations to stay on top of their incidence response game.