SIEM collects logs from different endpoint devices (Desktop computers, laptops, printers, servers etc.), network devices ( like routers, switches etc.), security devices (like Firewall, IDS\IPS, Web Proxy, Mail Transfer Agent etc.) and give detail information of Intrusion by correlating different events collected from various log sources . It helps us in finding the answer of what, why and how the intrusion took place.
SIEM (Security Information and Event Management) is like a "Intelligent Boss" that monitor the security events generated by various security devices (devices which have been integrated with the SIEM). Since this "Boss" is intelligent also, it correlate the events generated by one device, to the event generated by another to detect the threats or APTs, and then tell the devices to update it rule or signature according to the threat detected by it. So further intrusion attempt by such threat can be blocked in future by the security devices.
Its add extra layer of security over the already deployed security devices in the network architecture to fill the gaps. We will discuss about this security gap filling by SIEM in more detail later.
So if any security device goes down then SIEM will ask the CSIRT Team( and then CSIRT team will ask the owner of that security device) to resolve the issue ASAP.
If your device is not properly configured like vendors default accounts are still enabled and people are easily able to login using the default credentials, then SIEM can detect it.
Suppose IDS\IPS generated alert that some attacker from blacklisted IP address is trying to do network scan on your network. Then SIEM team on receiving this event will ask the Firewall team to block the blacklisted IP address on the Firewall itself.
References:
SIEM (Security Information and Event Management) is like a "Intelligent Boss" that monitor the security events generated by various security devices (devices which have been integrated with the SIEM). Since this "Boss" is intelligent also, it correlate the events generated by one device, to the event generated by another to detect the threats or APTs, and then tell the devices to update it rule or signature according to the threat detected by it. So further intrusion attempt by such threat can be blocked in future by the security devices.
Its add extra layer of security over the already deployed security devices in the network architecture to fill the gaps. We will discuss about this security gap filling by SIEM in more detail later.
So if any security device goes down then SIEM will ask the CSIRT Team( and then CSIRT team will ask the owner of that security device) to resolve the issue ASAP.
If your device is not properly configured like vendors default accounts are still enabled and people are easily able to login using the default credentials, then SIEM can detect it.
Suppose IDS\IPS generated alert that some attacker from blacklisted IP address is trying to do network scan on your network. Then SIEM team on receiving this event will ask the Firewall team to block the blacklisted IP address on the Firewall itself.
References:
No comments:
Post a Comment