Complex security management systems (SIEM)

SIEM (Security Information and Event Management) is a security tool that consolidates information about security events and incidents from a variety of different sources, called LES (Log Event Sources) and PES (Packet Event Sources), distributed across the entire infrastructure into one central location. It stores this information in an unaltered form (raw logs) and creates logical links (detection and correlation rules) over it to distinguish real threats from false alarms, immediately putting the individual pieces of information into context to distinguish real threats from false alarms.

At the heart of this product is a highly scalable database designed to capture real-time event logs and infrastructure traffic data. SIEM provides contextual and analytical visibility across the entire IT infrastructure to help detect and eliminate threats that other security solutions would often miss.

These threats can include unusual application exploitation, insider attacks, even advanced "slow" threats lost in the "noise" of millions of events, and more. All information is available from an intuitive user interface that helps SOC team members quickly identify and deflect emerging attacks based on their severity, and aggregate hundreds of alerts of emerging anomalous activity into a significantly smaller number of potential attacks that require more detailed investigation.

• Security events - events from firewalls, virtual private networks, intrusion detection systems, intrusion prevention systems and others (Syslog UDP/TCP/TLS, SNMP, JDBS, SDEE)
• Network events - events from switches, routers, servers, endpoints, and more (Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer)
• Network activity context - Layer 7 application data extracted from network traffic
• User and device context on the network - contextual data from user identities, accesses, and vulnerability scanners
• Operating system information - manufacturer name, version number specific to each network component
• Application logs - ERP, workflow management systems, databases, administration tools, etc.

• Data collection - collects security events and data from various sources.
• Data filtering - enables filtering of unusable data from a security monitoring perspective.
• Indexing - enables you to parse and normalize incoming data for more efficient management.
• Event analysis - evaluates data and detects potential security threats.
• Event correlation - links events to identify more complex threats.
• Alert generation - generates alerts based on threats found.
• Raw and indexed data storage - stores data for subsequent analysis and auditing.
• Report generation - generates reports and reports on security events.
• Integration with external sources - connects to other security information sources.

SIEM solutions record significant incidents and threats and generate supporting data and related information. Details such as attack targets, exact time, value of assets affected, vulnerability status, identity of attacking users, attackers' profiles, active threats, and records of previous attacks all help provide security teams with the information they need to implement appropriate actions.

Real-time searches of event history and data streams using location data for more detailed analysis and trace assurance can significantly improve a company's incident response capabilities. With an easy-to-use dashboard, time-based views, detailed searches, content reports down to the individual packet level, and hundreds of predefined search queries, users can quickly obtain the data they need to summarize and identify anomalies.

SIEM solutions help answer questions:

• Who is attacking?
• What is being attacked?
• Where do we start to investigate the attack?
• What evidence do we have?
• What part of the infrastructure is damaged?
• What is the impact of the attack on the operation of the organization?
• What corrective actions should be taken to eliminate the attack?

Analysis and design of SIEM solution architecture:

• Identification of security objectives and requirements within the organisation
• Analysis of legislation and related requirements for security monitoring
• Analysis of existing infrastructure, key processes and assets within the organisation
• Creating an architecture design for the SIEM solution

Selection and implementation of SIEM:

• Selecting the right SIEM product
• Customized design according to estimated EPS (Events Per Second) for maximum efficient HW utilization
• Complete configuration and installation of the SIEM platform
• SIEM integration with existing systems and devices (LES and PES)

Data collection across the entire infrastructure:

• Configure data collection from various sources such as firewalls, antivirus programs, IDS/IPS systems, servers, and more
• Connecting unique technologies that is not supported by SIEM by default
• Parser creation and data indexing
• Data filtering for analysis
• Log source monitoring setup
• Introduction of automated reports and evaluation of walking data

 

• Configuration of rules and thresholds for detecting security incidents
• Real-time analysis of events and data
• Event correlation to identify advanced threats
• Parsing validation and automatic detection of unrecognized logs
• Cluster analysis of walking data and designing ways to effectively use EPS licenses

• Configure the system to generate security alerts for potential incidents
• Providing a unique knowledge base in the form of correlation rules and investigation procedures
• Regularly informing about new attack techniques and proactively creating detection rules
• Defining processes for responding to and resolving security incidents
• Performing regular assessment of basic alerts (triage service)

• SIEM system performance monitoring
• Updating and patching SIEM components
• Managing users and their access rights
• Archiving and storing data for auditing and long-term trend analysis
• Connecting the SIEM to external ticketing systems (JIRA, D365, etc.)
• Setting SIEM operational monitoring policies
• Creation of DRP plans
• Configuring internal or external backups 
• Integration of SIEM into SOC team processes

• Training for the team managing the SIEM system and SOC
• Familiarization of users with incident reporting procedures
• Informing about new SIEM versions and introducing new SIEM functionalities

• Create documentation for configuration, operation and incident response

• Regular prophylaxis of the SIEM system to ensure its effectiveness
• Capacity planning for data and workload growth

One of the largest banks in the country was not satisfied with its security monitoring and reporting. The existing SIEM (security information and event management system monitoring) was generating rather spurious events and reports from which limited system data was being used by the CNB. The bank issued a tender to take over the day-to-day maintenance of the existing system. Part of the cooperation was also to ensure the migration of the SIEM to the new version.

We resolved basic system problems and performed the upgrade to the new version. In addition, along with the bank's IT department, we prepared a SIEM development concept for the following period. With the daily work of a joint team to connect heterogeneous IS platforms, reporting the right events and significantly improving reporting and processes, SIEM started to become a powerful tool for monitoring the bank's information security.

Today, the solution is the central point for collecting aggregated reports across the network and provides information on the true state of operational security. Thus, SIEM is no longer used only by the bank's IT department, but thanks to the clarity of the reports, management has also started to work with its outputs.