A SIEM is the lifeblood of an organizations security and we will breakdown why they are so important and why you should care.
A SIEM, or Security Information and Event Management, system is a vital piece of any organization's security. A SIEM assists an organization in detecting, analyzing, and responding to security threats in a timely manner.
I like to think of a SIEM as an atlas. It itself is not a singular map of a network, but a collection of maps, with each system or node that is connected to it being its own, complete map. An atlas gives you an overview, establishing the starting point of where to go and what to see, and relies on more detailed maps for the nitty-gritty information. A SIEM is the same, it is a collection of information from any number of systems and can point you where to investigate, but the connected system or node will hold all the detailed information. You can still see the whole world with an atlas and a SIEM and get a general idea of the lay of the land.
Data coming into a SIEM comes from any number of sources, including endpoints, applications, firewalls, IoT devices, and more.
It is important to foster an understanding of a SIEM and exactly what it can do (and does), regardless of your position in an organization. This information is still relevant regardless of the SIEM you may use or if you or your organization uses a Managed Service Provider (MSP) for SIEM Services.
By learning the benefits such a system can provide, you can get a "peak behind the curtain" of how a network flows together. Understanding the basics of how a SIEM works to collect and correlate events to create an entire picture can highlight how even a seemingly minor attack can grow to spread an entire network, organization, or industry.
Cybercrime is a massive industry and is only growing, with predictions of it reaching upwards of $23 trillion in 4 years. With every industry now almost entirely reliant on computers for day-to-day functions, it is important to spread awareness of signs of attacks and the steps that are taken in the recovery process. Cyber-attacks are no longer a question if 'if', but a question of 'when'. A SIEM can help mitigate some of the risks that organizations now face.
SIEMs are a vital cog in the engine that is Information and cyber security, as they are often the detectors of an attack and can point the investigation process in the correct direction. They combine and correlate events from across a network, small or large, to establish a pattern of every day usage as well as deviations from that norm that may be indicators of attacks (attempted or successful).
There are a wide variety of SIEM providers, all with their own benefits and detractions. Offerings such as Splunk, LogRhythm, IBM's QRadar, Microsoft Azure Sentinel, Elastic ELK Stack, and others all vary in their specifics. This series is not specific to a single platform, but hopes to provide a wider overview of the systems.
A sliver of the different SIEM solutions available today
Many companies rely on a MSP to handle their SIEM due to lack of resources. While the idea of handing the service off is beneficial to many, it is still important to understand what you are paying for and still understand the underlying reasons for its existence. MSP's handling of SIEMs is only expected to grow, with predictions of it reaching $16 billion in 4 years.
SIEMs are a cornerstone of Information and Cyber Security and it is important to gain at least basic knowledge about them. This kind of information can improve appreciation, understanding, and recognition of the importance of a SIEM.
This series aims to de-mystif these kinds of systems to improve general security posture of users and organizations. These posts will come out every Monday over the course of April.
Our next post will dive into monitoring a system and what you general information you should be collecting.
We will then look at specific events and event ID's to monitor on Windows systems. Windows is the most widely used computer operating system, making up 68.15% of the market, which is why we will explore the plethora of information a Windows system has to offer.
We will then take a deeper dive into the differences between a SIEM, a SOAR, and an EDR/XDR and explain the purpose of each as well as the benefits and downsides.
Finally, we will discuss expected noise you will see in a SIEM and how to establish a baseline. The practice of base lining is important to you can identify an attack by a deviation, no matter how big or small it may seem.
Stay tuned as we start this exploration!