Please follow this link to read the first part of this article.
As detailed in the previous article, the SIEM solution is the aggregator of security logs in an organisation and essentially performs analysis and correlations on security logs to detect a potential cyber-attack.
Some of the key capabilities of SIEM solutions include:
- Analysis and Correlation: This is the most important SIEM feature. A SIEM should be able to correlate logs received from different solutions to be able to detect a possible attack. For example, if a relevant rule is set, a SIEM should be able to note that a user has been able to logon after previous logon failures. This is only possible if the SIEM performs a correlation analysis of logs against other logs received.
- Security Alerts: SIEM solutions should be able security engineers on potential cyber-attacks. These alerts could be email, texts or dashboard displays. These alerts are sent as a result of the analysis and correlation activities of the SIEM. When the conditions set for a SIEM rule are met, an alert should be sent to the security team. For example, if a multiple failed login rule is set, the SIEM would send an alert when an attacker attempts to log into a database 5 times in 10 seconds.
- Reporting: A SIEM should be able to automatically develop reports from logs received, correlation activities and alerts raised. These logs are usually graphical and can easily be forwarded to any organisation email.
- Log Management: A SIEM should be able to receive, store and manage logs from different sources. Correlation and analysis can then be performed on these logs (which are saved consistently)
- User Behavioral Analysis: Some SIEM solutions can track the behaviour of certain users and raise alerts when these users deviate from their regular behaviours. For example, a SIEM can be configured to raise alerts when a user who normally logs on to a service from a certain country/geographical location logs on to the same service from another country/geographical location
Most Popular SIEM Solutions
Several cybersecurity companies have released SIEM solutions into the market. However, the most popular SIEM solutions are:
- IBM QRadar
- ArcSight
- LogRhythm
- Splunk
- Azure Sentinel