Security Information and Event Management 9th Feb 2016 About SIEM What is SIEM ? • • • • Security Information and Event Management (SIEM) provides a real time analysis security alerts generated by Network, Hardware and Applications. It combines two services – Security Information Management (SIM) and Security Event Management (SEM). The segment of security management that deals with real time monitoring, correlation of events, notification and console views is known as SEM. Area which provides long term storage as well as analysis and reporting of log data is known as SIM. What SIEM Does ? • SIEM system centralizes the storage and interpretation of logs and allows near real-time analysis which enables security personnel to take defensive actions more quickly • collects data into a central repository for trend analysis and provides automated reporting for compliance and centralized reporting Why SIEM ? • • • • • Rise in data breaches due to internal and external threats Attackers are smart and traditional security tools just don’t suffice Mitigate sophisticated cyber-attacks Manage increasing volumes of logs from multiple sources Meet stringent compliance requirements Data Collection Analysis + Value Addition Output How Stuff Works Email Alerts & Notifications Dashboards Real Time Reports File Integrity Log Retention User Activity Monitoring Correlation Engine Ticketing System Integration Reporting System Portal Management Control Network Analysis Log Management System SIEM – Default System rules + User Defined Rules + Correlations Network Switches Routers Servers Firewalls VMs Applications Database SIEM Features Represents the features available in eMagic SIEM module Log Collection Real Time Alerting Log Analysis User Activity Monitoring Event Correlation Dashboards Log Forensics SIEM Reporting IT Compliance File Integrity Monitoring Application Log Monitoring System & Device Log Monitoring Object Access Auditing Log Retention SIEM Features – Overview – Features available with eMagic SIEM Logs from all the virtual and physical IT Infrastructure assets are collected for the purpose of analysis. Log Collection This is the starting of any SIEM system. This is an Agent based process and eMagic is having a very unique feature which allows the user to download and install the set-up remotely on any device through the SIEM UI with just one click! All the collected logs are analyzed with the help of default system rules and user defined rules. Log Analysis eMagic is having more than 1000 rules already set-up for this purpose. User can also define the rules as per the need. Log Correlation is also available in eMagic SIEM which allows users to correlate multiple rules as per n SIEM Event Correlation Log Forensics This is a technique for making a sense of a large number of events and pin-pointing the few events that are really important in that mass of information. Accomplished by looking for and analyzing relationships between events. With the help of this feature, users can refer to any past logs with some specific date and time. Historic data helps in comparing and tracking some specific alerts or issues happened in the past SIEM Features – Overview – Features available with eMagic SIEM Logs generated by every application on your network are collected and analyzed Application Log Monitoring It tells you when a particular application is installed on a client box This monitoring is agent based and agents can be installed remotely through eMagic UI with a single click. Real Time Alerting Logs from all the IT Infrastructure Assets are collected run time. These logs are analyzed using rules and correlation engines. Real time alerts are sent to the users to take the actions. SIEM Agent Management Download, Install, Uninstall, Restart, Delete and Ping Agent – All these Agent Management with just one click through eMagic UI. One click Agent Management is an unique feature of eMagic SIEM module which helps user to improve operational efficiency by managing the agents remotely. A centralized place for everyone to understand the health of all IT Infrastructure Assets. Dashboards This provides an input to make the decision making process faster Data driven decisions can be taken proactively with the help of the data available on the dashboards SIEM Features – Overview – Features available with eMagic SIEM Various reports are generated after analyzing the logs Reporting These reports are then presented on the dashboards. Reports are also sent through emails in the form of alerts File Integrity databases are stored in Manager File Integrity Monitoring This check can be agent based or agent less It detects any changes in the system files, registry or directory and sends the alerts SIEM System & Device Log Monitoring Logs from all Operating System, Application and Device on the network are collected, analyzed and correlated to check for any attack, misuse or error Alerts are generated and sent accordingly. A centralized place for everyone to understand the health of all IT Infrastructure Assets. Log Retention This provides an input to make the decision making process faster Data driven decisions can be taken proactively with the help of the data available on the dashboards Thank You!