Please enable JavaScript.

Coggle requires JavaScript to display documents.

SIEM (Introduction (SIM- Security Information Management (Type of software…

- - - - Real-time threat analysis
      - Visualization
      - Ticketing
      - Incident response and security operations
  - - - Economical
      - management
      - Maintenance
    - - Plug-and-play doesn't work
- - - - People from different areas are involved
      - The project manager SIEM designer must know what is required from the organizational perspective
      - Depending on the goals, more or less resources should be allocated
        
        Director must agree with the project
      - SIEM are not only useful for security purpose, but part of the business strategy
  - - - People involved and roles
      - Security measures
      - Systems and networks
      - Detail of events recorded
      - Contents of the records
- - - - Agent-based: Installed in the collector
      - Agentless: The sensor are natively configured to send data to the SIEM
    - - Agent-based are harder to maintain, but facilitates the task in SIEM astray usually apply normalization
      - Agentes require the sensors being able to sen data to the SIEM
    - - Devices providing information
      - Event details
      - Filtering
      - Transportation methods
  - - - Aggregation must reduce the amount of information without losing details
      - Normalization to traduce unknown formats
        
        Flexible
      - The data scheme used should include all the required information for correlation purpose
  - - - More art than science
      - Heuristics derived from past experience
      - Must adapt to novel attack strategies
    - - Attacks or other security-related activity
      - Events can be anomalies
    - - Understanding what we are looking for
      - Identification of relevant events
        
        TCP Syn packets received
        
        Session established
        
        Session closed
      - Establishment of thresholds
      - Definition of relationship
      - Automatizing responses Policies (Block IP)
      - Prioritization of the rule
      - Reliability of the rule
      - Assets involved
    - - Network data
      - Data source
      - Thresholds
      - Conditions for multiple rules
    - - Create a new event
      - Uploading the priority or reliability
      - Generating new alarm
      - Execute a command
      - Update or modify and existing ticket
    - - Logical correlation
        
        Only takes into account events
        
        Simple correlation. Only considers aggregated and normalized single events
        
        Hierarchical. Events are structured in a tree
      - Cross correlation
        
        Includes other data apart from events
        
        Report from vulnerabilities scanner
        
        Port scan
        
        Type of assets involved
        
        Endpointdata
        
        Plain queries
        
        These data may be available or retrieved on purpose
        
        It happens together with or after logical correlation
        
        Aims to improve the effectiveness of the correlation engine
        
        Increase reliability and thus reduces the risk
        
        Reduce false positives
        
        Filter out alarms
  - - - OSSIM, an alarm is an event involving a risk higher than zero
    - - False positives lead to security analysts going after "ghost"
      - Too frequent alarms overwhelm security analysts
    - - Give alarms some priority
      - Clock synchronization
      - Create profiles of normal behavior
      - Maintain an updated threat knowledge base
      - Query endpoint managers for further information
    - - Status of the incident
      - Next steps to be performed
      - Summary
      - People responsible
      - Indicators
      - Involved assets
      - Impacts on the organization
      - Documents related with the incident management
    - - Main: Early response to "live" attacks
      - Perform basic forensics
      - Maintain the chain of custody of evidences
      - Ease recovery and reduce impact
  - - - Identify useful information
      - Smart view for non-technical people
      - Different templates depending on
        
        Receivers:
        
        Purpose
    - - Security Events Statistics by source, destination and type
      - Anomalies reports
      - Security Reports
      - Availability reports
      - Usuability and profile reports
      - Vulnerability reports
      - Custom metrics
      - Risk metrics
- - - - Collectors, normalizers, aggrgators
      - Intrusion Detection Systems
      - Correlation engines and report