SIEM let's talk about the concept?
Looking back, no more than eight years ago, a new concept of solution for Information Security (SI) became popular. The IS world welcomed the tools of SIEM (Security Information Event Management), which enabled users to perform log collection, correlation, and storage.
Through these primary functions it was possible to attend to several audit points, besides allowing the visualization of Dashboards and real time reporting.
Initially, the solution used only the collection of logs, these logs, generated basically by any information technology (IT) asset. Soon after some solutions began to add functionality and collect data from Netflow to generate network statistics to add intelligence to information.
This start was very promising and several organizations that implemented this type of solution were able to identify, for example: ongoing attacks, frauds, usage trends, etc.
Additionally, various norms and standards such as: PCI DSS, ISO27001 and Sarbanes Oxley, boosted the market as the SIEM allowed for improvements in the control environment, and eventually addressed compliance points. Today there are numerous control requirements that to be met require a SIEM tool. Remember that SIEM needs to be configured and minimally correlating the information in your environment.
The market also realized the positive points of the SIEM and began offering it as a service, often with the administration and monitoring of the IT environment. However at that time the tool was indeed put to the test as many organizations started to use it widely and began to identify gaps and weaknesses in some solutions.
SIEM basically depends on the logging assets to identify events that were occurring in the infrastructure, that is, if there were any devices that did not generate logs or were not in the collection stream, their information would not be mapped.
Additionally, another important item to highlight is the issue of significant advance in threats. Today we are faced with numerous targeted attacks each day and most often the presence of a SIEM in the environment would not guarantee their detection. Allied to these two points we have the initial issue that leveraged this type of solution, the compliance factor, since through the traditional approach and the collection of some logs, the punishment of potential perpetrators due to fraudulent or malicious actions. very complicated.
In order to address the gaps identified in a SIEM traditionally, was born in the IS market about 2 years ago, solutions of SIEM using the traditional approach of log collection and flows network features, but the features of flowsFor example, network resources became increasingly robust, allowing for the reconstruction of an entire communication section between IT assets through packet collection, that is, it does not matter if the asset generates logs, whether it is in the data collection stream. logs or etc.
With this “new generation” of SIEM It is now enough that the solution is listening to the entire network bus so that it can identify malicious communication, reconstruct it, and show the evidence of this communication. Currently with the tool it is possible, for example, to reconstruct an e-mail or to show a .exe file.
Remember that the SIEM continues collecting logs, but now with much broader monitoring power. Today it is possible to state with a large capacity solution that nothing will go unidentified by its infrastructure.
In addition to the issue of section reconstruction, other functions have gained a lot of importance, such as daily updated vulnerability feeds, information enrichment power, information manipulation, and research agility.
As threats and targeted attacks advance, it is clear that any organization independent of the market must evaluate the implementation of a security solution. SIEM, as it will assist in the visualization, understanding of information traffic and, later, taking action, making the incident investigation and management process more agile and effective.
Today we have solutions that can reconstruct a session, identify an attack and show the stolen document, and even solutions that can extract a file from a suspicious communication and analyze it based on countless signatures. andfeeds to identify if it's a malware, something unthinkable a few years ago for a SIEM.
Now the challenge is not to find the information, but to take appropriate action in a timely manner to curb fraud and theft of information.
*Marcio D. Oliveira, Information Security Specialist at [SAFEWAY]
And do you currently know what goes through your network? Do you have evidence? Think about it!