What is SIEM? Security Information & Event Management Explained
SIEM (Security Information & Event Management) is one of the most important tools in the SOC. So-called next-gen SIEMs include two new technologies: UEBA and SOAR. Learn how user and entity behavior analytics (UEBA) and security orchestration, automation and response (SOAR) have bolstered what a modern SIEM can do for cybersecurity.
0:00 Introduction
1:16 What is a Next-Gen SIEM?
1:31 What is UEBA (User and Entity Behavior Analytics)?
2:02 What is SOAR (Security Orchestration, Automation and Response)?
3:10 SIEM Use Cases
3:57 Get the Essential Guide to SIEM
Want to learn more about what is SIEM? Check out our Essential Guide To SIEM here: https://www.exabeam.com/siem-guide/
Full Transcript
Hi, I'm Cynthia Gonzales and I'm a product marketing manager at Exabeam. In this video I'm going to bring you up to speed on an important cybersecurity tool SIEM, but before I do remember to share the love and subscribe to our channel.
SIEM stands for security information and event management and it's pronounced "sim". It's a system that collects log files, security alerts, and events into one place, so security teams can more easily analyze data. You can think of a SIEM as a log management system specialized for security. SIEM's collect all of this information from other security systems like endpoint security, firewalls, intrusion detection systems, and the like. They were necessitated with the growth in the number of security systems.
The logs and alerts from the systems needed to be stored centrally so that analysts didn't have to go to each individual security product to conduct investigations. SIEM's offer powerful log search features, the ability to trigger alerts using rules and reports that organizations can provide to auditors to demonstrate compliance with various regulations.
Oh, wait a minute. That's the old definition of a SIEM. In 2017 the analyst firm Gartner updated their definition of a SIEM. They added two new and important technologies, UEBA and SOAR, two more acronyms for you to remember. UEBA stands for user and entity behavior analytics. It's an analytics layer that tracks normal and abnormal behavior for users and entities, like databases, servers, and devices. It helps the analyst spot abnormal behaviors like logins from an unusual location, or machines uploading large amounts of information for the first time. Both are potential signs of a security issue. Basically, UEBA helps the analyst by highlighting anomalous activity that they should look into.
SOAR stands for security orchestration, automation and response. SOAR automates what security analysts need to do to respond to security incidents. Remember how the original SIEM meant analysts didn't need to go to each individual security system to collect logs? Well, it would still need to if they wanted to respond to an incident. SOAR eliminates that, and let me give you an example.
Let's say there's malware found on a laptop. An analyst would normally go to the endpoint security system, quarantine the computer, then maybe search for the source of the malware in an IDS or an IPS to make sure no one else is affected. With SOAR, the analysts can automate the quarantine action from the SIEM, they don't need to log into the endpoint security system. And with a modern SIEM that has UEBA, the system automatically discovers that the malware came from a phishing link in an email. Now the analyst wants to block that link in other emails so no one else gets affected. This is where orchestration comes in. The SIEM works with the endpoint security system, the email security system, and maybe even something like a ticketing system.
Okay, so now you know what a modern SIEM is and what it can do. SIEM's can be used for a number of purposes. In fact, that's where they're often the foundational platform for the security operations center, the SOC. You can still use your SIEM to demonstrate compliance with regulations like SOX, HIPAA, and GDPR. But in more advanced use would be zero-day detection, where unusual behavior would help detect something you've never seen before. Some companies use SIEM for insider threat detection or threat hunting, this is a proactive search for unusual activities inside an organization.
Lastly, with SOAR, a SIEM can help to automate the SOC from detection, through investigation, and response. Many SOC's are looking to automate to make their operations more efficient and reduce their overall risk.
I hope that was helpful. I really just scratched the surface. If you want to learn more about SIEM's, including architecture, use cases, and how to operationalize one in your SOC, check out Exabeam's Essential Guide to SIEM. Feel free to ask any questions you have in the comments below and I'll answer, and if you like what you see, please like the video and subscribe to our channel.
Subscribe to Exabeam for more: http://bit.ly/2SFgiiM
Видео What is SIEM? Security Information & Event Management Explained канала Exabeam
0:00 Introduction
1:16 What is a Next-Gen SIEM?
1:31 What is UEBA (User and Entity Behavior Analytics)?
2:02 What is SOAR (Security Orchestration, Automation and Response)?
3:10 SIEM Use Cases
3:57 Get the Essential Guide to SIEM
Want to learn more about what is SIEM? Check out our Essential Guide To SIEM here: https://www.exabeam.com/siem-guide/
Full Transcript
Hi, I'm Cynthia Gonzales and I'm a product marketing manager at Exabeam. In this video I'm going to bring you up to speed on an important cybersecurity tool SIEM, but before I do remember to share the love and subscribe to our channel.
SIEM stands for security information and event management and it's pronounced "sim". It's a system that collects log files, security alerts, and events into one place, so security teams can more easily analyze data. You can think of a SIEM as a log management system specialized for security. SIEM's collect all of this information from other security systems like endpoint security, firewalls, intrusion detection systems, and the like. They were necessitated with the growth in the number of security systems.
The logs and alerts from the systems needed to be stored centrally so that analysts didn't have to go to each individual security product to conduct investigations. SIEM's offer powerful log search features, the ability to trigger alerts using rules and reports that organizations can provide to auditors to demonstrate compliance with various regulations.
Oh, wait a minute. That's the old definition of a SIEM. In 2017 the analyst firm Gartner updated their definition of a SIEM. They added two new and important technologies, UEBA and SOAR, two more acronyms for you to remember. UEBA stands for user and entity behavior analytics. It's an analytics layer that tracks normal and abnormal behavior for users and entities, like databases, servers, and devices. It helps the analyst spot abnormal behaviors like logins from an unusual location, or machines uploading large amounts of information for the first time. Both are potential signs of a security issue. Basically, UEBA helps the analyst by highlighting anomalous activity that they should look into.
SOAR stands for security orchestration, automation and response. SOAR automates what security analysts need to do to respond to security incidents. Remember how the original SIEM meant analysts didn't need to go to each individual security system to collect logs? Well, it would still need to if they wanted to respond to an incident. SOAR eliminates that, and let me give you an example.
Let's say there's malware found on a laptop. An analyst would normally go to the endpoint security system, quarantine the computer, then maybe search for the source of the malware in an IDS or an IPS to make sure no one else is affected. With SOAR, the analysts can automate the quarantine action from the SIEM, they don't need to log into the endpoint security system. And with a modern SIEM that has UEBA, the system automatically discovers that the malware came from a phishing link in an email. Now the analyst wants to block that link in other emails so no one else gets affected. This is where orchestration comes in. The SIEM works with the endpoint security system, the email security system, and maybe even something like a ticketing system.
Okay, so now you know what a modern SIEM is and what it can do. SIEM's can be used for a number of purposes. In fact, that's where they're often the foundational platform for the security operations center, the SOC. You can still use your SIEM to demonstrate compliance with regulations like SOX, HIPAA, and GDPR. But in more advanced use would be zero-day detection, where unusual behavior would help detect something you've never seen before. Some companies use SIEM for insider threat detection or threat hunting, this is a proactive search for unusual activities inside an organization.
Lastly, with SOAR, a SIEM can help to automate the SOC from detection, through investigation, and response. Many SOC's are looking to automate to make their operations more efficient and reduce their overall risk.
I hope that was helpful. I really just scratched the surface. If you want to learn more about SIEM's, including architecture, use cases, and how to operationalize one in your SOC, check out Exabeam's Essential Guide to SIEM. Feel free to ask any questions you have in the comments below and I'll answer, and if you like what you see, please like the video and subscribe to our channel.
Subscribe to Exabeam for more: http://bit.ly/2SFgiiM
Видео What is SIEM? Security Information & Event Management Explained канала Exabeam
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Cyber Security Full Course for Beginner
What is Secure Access Service Edge (SASE) ?
SOC 101: Real-time Incident Response Walkthrough
SIEM - CompTIA Security+ SY0-501 - 2.1
MicroNugget: IDS vs. IPS
Cyber Security Interview Questions You Must Know
What Is MITRE ATT&CK? Part 1 - Basic Terminology and Matrices
What is SIEM & It's Requirement in Corporate Networks | By Sulabh Mishra | SIEM XPERT
How does a SIEM work
Best SIEM Products: SIEM Explained And Top 5 Tools
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips | Edureka
What is UEBA?
What is DeFi? A Beginner’s Guide to Decentralized Finance
Splunk Security Investigations, Part 1: Threat Detection
A Day in the Life of an Analyst | LogRhythm Demo
From SIEM to SOC: Crossing the Cybersecurity Chasm
Hypervisors and Virtualization Explained | What is a Hypervisor? | What is Virtualization?
The SolarWinds Hack Explained | Cybersecurity Advice
What does an intelligent Security Operations Center (SOC) look like?
Explaining SIEM and SOC Services | OXEN Technology