Security Information and Event Management
The readings from Wks 4 and 5 in Security Operations Center: Building, Operating, and Maintaining your SOC covered SOC operations. One of the tools of the SOC is the use of a Security Information and Event Management (SIEM) system. Many vendors provide these systems. We read in Wk 4, “Taking the same multiple failed login attempts example used in the discussion about first-generation SOC, the Microsoft Windows systems would most likely be configured to forward logged events to a SIEM tool.
The SIEM tool should be capable of receiving, parsing, normalizing, and correlating the different events and eventually alerting a security analyst that there have been multiple login failures for the account “administrator” on multiple systems. This behavior could indicate a possible brute-force attack, assuming that the SIEM tool is configured with correlation rules that can detect and assign a relevant and meaningful alert to this suspicious activity.“ By using a SIEM tool, we are able to correlate events from multiple devices. This allows the SOC to identify patterns that may have been overlooked by an administrator.
Your company does not currently have a SIEM. You are standing up a SOC and want to add a SIEM as a tool for your team.
Research and compare some of the current SIEM products on the market.
As the CISO presenting to senior management, prepare a 1- to 2-page recommendation summary of your recommendation. Include:
- Recommended SIEM tool for your company.
- List two reasons for choosing that SIEM.
Describe the capabilities you are looking for as a CISO.