Security Information and Event Management (SIEM)
SIEM solutions provide real-time collection, analysis, correlation, and presentation of security logs and alerts generated by various network sources. What do network sources mean? Devices such as firewalls, IDS/IPS, routers, switches, servers, and workstations.
The purpose of data correlation is to arrive at a greater understanding of risk within the organization due to activities being noted across various security platforms.
In fact, correlation of security related data is the primary utility provided by the SIEM.
A SIEM combs through millions, or even billions, of events daily, and presents only the most important few, actionable events so that security teams can take appropriate action.
A SIEM solution can be software- or appliance-based, and even may be hosted and managed either internally or by a managed security service provider.
Continuous monitoring on information process streamed in real time or close to real time. Some SIEM solutions are proposing continuous monitoring or features of continuous monitoring. Continuous monitoring components may include:
- Discovery: Ongoing inventory of network and information assets.
- Assessment: Automatic scanning and based on information assets to identify and prioritize vulnerabilities.
- Threat intelligence: Feeds from one or more outside organizations that produce high-quality, actionable data.
- Audit: Nearly real-time evaluation of device configurations and compliance with established policies and regulatory requirements.
- Patching: Automatic security patch installation and software updating.
- Reporting: Aggregating, analyzing and correlating log information and alerts.
This is the process of monitoring outbound traffic to discover potential data leakage (or loss). The two main reason of Egress monitoring:
1- To ensure the malicious traffic doesn’t leave the network: for example in a situation in which a computer is infected and trying to spread malware to hosts on the internet.
2- To ensure that sensitive data does not leave the network unless authorized.
The following strategies can help with egress monitoring:
- Data Loss Prevention (DLP): These solutions focus on reducing or eliminating sensitive data leaving the network. (In e-mail messages, data uploads, PNG or JPEG images, and other forms of communication). DLP solutions usually perform deep packet inspection (DPI) to decrypt and inspect outbound traffic that is TLS encrypted. Also Static DLP tools used to discover sensitive and proprietary data in databases, file servers, and other data storage systems.
- Steganography: This is the art of hiding data inside another file or message. For example, hide a text message inside a picture file such as jpg, png.
- Watermarking: It is the act of embedding an identifying marker in a file. For example, embedded a company logo in a customer database file or add a watermark to a picture file with copyright information.