Here are a few important metrics that can help understand the scale of activity in the SOC, and how effectively analysts are handling the workload.
SIEM (Security information & Event Management) is a tool which aggregate all the logs, events and notifications from all the internal & external sources. Internal sources could be your network, servers, routers, database systems, firewall etc. External sources are mainly threat intelligence reporting system, vulnerabilities databases, phishing urls, software critical bugs etc.
How does SIEM work?
In any mid or large organization, There would a lots of network devices to manage different services. And, Every device has its own security configuration. That is why each Network devices (routers, server & firewall etc) generate huge amount of logs & notifications every seconds.
SIEM aggregates logs, events and configuration from each devices within your organization. Log aggregator isn’t good enough though but SIEM also gathers context around logs. Based on context & logs, SIEM determines threats, event correlation & provides critical notifications to the security team. Security operation team relies heavily on this system to begin investigating high risk incidents.
Power of ERIN in SIEM
Events: Events are generated by individual devices & systems. And, SIEM collects these events in form of logs.
Rules: SIEM collects events & applied pre-defined rules & custom rules to these events. SIEM applied correlation in the logs. It is a more like filtering rules in logs. While filtering logs, SIEM applies critical information context which could be configuration of devices, addition external sources etc.
Incidents: Once rules are applied, SIEM reports incidents. Incidents criticality is identified by context & information SIEM has.
Notification: At the last, SIEM provides alert notifications to the security team in form of emails, messages etc.
Why SIEM is critical tool for security of your organization?
There are two most important objective of SIEM.
- Centralized & Timely threat alerts to the security team.
- Logging & reporting for Compliance purposes.
There are other systems which could provide information however, Security team often struggle with “False positives”. False positives are the alerts which reported wrongly. It is nightmare for the security team to rule out any false positives.
SIEM provides a way to reduce less noise and can provide valuable information along with alerts to help security team. Rule based SIEM also provides so much control to the security team.