This document discusses key considerations for choosing a SIEM (security information and event management) solution. It begins with an overview of ManageEngine, a provider of IT management software. It then discusses the importance of log management and security event monitoring. The document outlines 8 critical factors to consider when selecting a SIEM solution: log collection capabilities, user activity monitoring, real-time event correlation, log retention, compliance reporting, file integrity monitoring, log forensics, and dashboards. It presents ManageEngine's SIEM offering and highlights its ease of deployment, cost-effectiveness, customizable dashboards, and universal log collection. The presentation concludes with a Q&A.
DevoxxFR 2024 Reproducible Builds with Apache Maven
8 Things to Know When Choosing a SIEM Solution
1. SIEM
Your Complete IT Security Arsenal
8 Things You Should Know About Choosing an SIEM Solution
Joel Fernandes
Sr. Product Marketing Analyst
SIEM Solutions
ManageEngine
joeljohn.f@manageengine.com
Speaker
2. Webinar “Housekeeping” Tips
• Use the “question” box in the lower right corner to
submit your questions
• Questions will be answered during the Q&A session
at the end of the webinar
• We will do our best to answer as many questions as
possible in the allotted time
• This webinar is getting recorded and will be shared
to you via email
3. Agenda
• About ManageEngine
• Log management challenges
• What is SIEM?
• Why is SIEM necessary?
• 2012 Data Breach Analysis
• Typical working of an SIEM solution
• 8 critical things you should know about choosing an SIEM solution
• Business benefits of SIEM solutions
• ManageEngine SIEM product offering – Overview
• Quick Demo - ManageEngine SIEM product offering
• Conclusion
• Q&A
4. About ManageEngine
– IT Management Software division of Zoho
Corporation
– Established in 2002
– ManageEngine covers the complete gamut of
IT solutions
• 21 Products | 20 Free tools | 2 SAAS
offerings
– Trusted by over 72,000 customers across
200+ countries
– 3 out of every 5 Fortune 500 companies are
ManageEngine customers
5. Log Management Challenges
• Analyzing Logs for Relevant Security
Intelligence
• Centralizing Log Collection
• Meeting IT Compliance
Requirements
• Conducting Effective Root Cause
Analysis
• Making Log Data More Meaningful
• Tracking Suspicious User Behavior
6. What is SIEM?
• The term „SIEM‟ was coined by Mark Nicolett
and Amrit Williams (Gartner Analysts) in 2005
• In simple words, SIEM is a combination of
two different types of technologies:
– SIM (Security Information Management) that
focuses on log collection and report generation
– SEM (Security Event Manager) that analyzes
events in real-time using event correlation and
alerting mechanism
• SIEM technology provides network security
intelligence and real-time monitoring for
network devices, systems, and applications
8. Why is SIEM necessary?
Rise in data breaches due to internal and external threats
Attackers are smart and traditional security tools just don‟t suffice
Mitigate sophisticated cyber-attacks
Manage increasing volumes of logs from multiple sources
Meet stringent compliance requirements
Biggest Data Breaches in 2013
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
9. 2012 Data Breach Analysis
Source: Verizon 2013 Data Breach Investigations Report
Threat categories over timeVictims
10. 8 Things You Should Know About
Choosing an SIEM Solution
11. #1. Log Collection
• Universal Log Collection to collect logs from
heterogeneous sources (Windows systems, Unix/Linux
systems, applications, databases, routers, switches, and
other devices)
• Log collection method - agent-based or
agentless
– Both Recommended
• Centralized log collection
• Events Per Second (EPS) – Rate at which
your IT infrastructure sends events.
– If not calculated properly the SIEM solution will start
dropping events before they are stored in the
database leading to incorrect reports, search results,
alerts, and correlation.
12. #2. User Activity Monitoring
• SIEM solutions should have Out-of-the-box
user activity monitoring, Privileged user
monitoring and audit (PUMA) reporting
feature
• Ensure that the SIEM solution gives the
‘Complete audit trail’
– Know which user performed the action,
what was the result of the action, on
what server it happened, and user
workstation/device from where the
action was triggered.
13. #3. Real Time Event Correlation
• Real-time event correlation is all about
proactively dealing with threats
• Correlation boosts network security by
processing millions of events simultaneously
to detect anomalous events on the network
• Correlation can be based on log search,
rules and alerts
– Predefined rules and alerts are not
sufficient. Custom rule and alert builder
is a must for every SIEM solution.
– Ensure that the process of correlating
events is easy.
14. #4. Log Retention
• SIEM solutions should automatically
archive all log data from systems,
devices & applications to a
„centralized’ repository
• Ensure that the SIEM solution has
‘Tamper Proof’ feature which
„encrypts’ and „time stamps’ them
for compliance and forensics
purposes
• Ease of retrieving and analyzing
archived log data
15. #5. IT Compliance Reports
• IT compliance is the core of every SIEM
solution
• Ensure that the SIEM solution has out-
of-the-box regulatory compliance
reports such as PCI DSS, FISMA,
GLBA, SOX, HIPAA, etc.
• SIEM solutions should also have the
capability to customize and build new
compliance reports to comply with
future regulatory acts
16. #6. File Integrity Monitoring
• File integrity monitoring helps security
professionals in monitoring business
critical files and folders.
• Ensure that the SIEM solution tracks and
reports on all changes happening such as
when files and folders are created,
accessed, viewed, deleted, modified,
renamed and much more.
• The SIEM solution should also send real-
time alerts when unauthorized users
access critical files and folders
17. #7. Log Forensics
• SIEM solutions should allow users to
track down a intruder or the event
activity using log search capability
• The log search capability should be very
intuitive and user-friendly, allowing IT
administrators to search through the raw
log data quickly
18. #8. Dashboards
• Dashboards drive SIEM solutions and
help IT administrators take timely action
and make the right decisions during
network anomalies.
• Security data must be presented in a
very intuitive and user-friendly manner.
• The dashboard must be fully
customizable so that IT administrators
can configure the security information
they wish to see.
20. Business Benefits of SIEM Solutions
• Real-time Monitoring
– For operational efficiency
and IT security purposes
• Cost Saving
• Compliance
• Reporting
• Rapid ROI
21. ManageEngine‟s SIEM Offering
– Easy of deploy
– Cost-effective
– Customizable dashboard
with drag and drop
widgets
– Uses both Agent and
Agentless log collection
mechanism
22. Universal Log Collection
– Supports heterogeneous
log sources
– Universal log collection
capability helps index any
type of log regardless of
the format and source
– Allows you to index log
data and generate reports
for custom in-
house/proprietary
applications
23. Real Time Event Correlation and Log Forensics
– Correlation using Search: Correlate
events using log search with Wild-
cards, Phrases and Boolean operators
– Correlation using Alerts: Correlate
events using custom and predefined
alerts to mitigate threats in real-time
– Notifications are send in real-time via
Email and SMS
– Conduct root cause analysis by diving
into raw logs and generate forensic
reports in minutes!
27. Conclusion
• A SIEM solution can provide enormous security benefits to the company by
protecting the network with real-time log analysis.
• Most organizations think that SIEM solutions have a steep learning curve
and are expensive, complex, and hard to deploy.
• This claim may be true about many SIEM vendors. However, the right
SIEM solution is one that can be easily deployed, is cost-effective, and
meets all your IT security needs with a single tool.