Respond to three questions
One of the methods of gaining intelligence on an organization’s IT systems is through security information and event management (SIEM) products. SIEM systems can provide real-time alerts generated by network hardware and applications so that the organization can analyze these events.
In Girardi et al., (2015) the authors assert that to develop the visibility, agility, and speed to deal with advanced threats, security information and event management (SIEM) systems need to evolve into a central nervous system for large-scale security analytics. In particular, the following four fundamental capabilities are required:
Pervasive visibility: Achieving the ability to know everything happening within IT environments requires fusing many data sources, including network packet capture and full session reconstruction, log files from network and host devices, and external information such as threat indicators or other security intelligence. Centralized log collection is no longer enough.
Deeper analytics: Examining risks in context and comparing behavior patterns over time across disparate data sets improves the signal-to-noise ratio in detecting advanced threats, thus speeding time to resolution.
Massive scalability: Platforms collecting security data must expand in scale and scope to handle the deluge of information that is increasingly needed for complete situational awareness.
Unified view: Consolidating security-related information in one place is crucial to investigating incidents in context and speeding decision making about prospective threats.
Respond to the following:
1) Explain and recommend a SIEM and how it would improve security operations within the organization.
2) Why is it so important that an organization know real-time information about an attack?
3) Why would it be important to be able to play back an attack? What possibcgole information could be found?