Security Information and Event Management (SIEM)

Cisco-opplæring

Insoft Services er en av få opplæringsleverandører i EMEAR som tilbyr hele spekteret av Cisco-sertifisering og spesialisert teknologiopplæring.

Les mer

Cisco Sertifisering

Opplev en blandet læringstilnærming som kombinerer det beste av instruktørledet opplæring og e-læring i eget tempo for å hjelpe deg med å forberede deg til sertifiseringseksamen.

Les mer

Cisco Learning Credits

Cisco Learning Credits (CLC) er forhåndsbetalte opplæringskuponger innløst direkte med Cisco som gjør planleggingen for suksessen din enklere når du kjøper Cisco-produkter og -tjenester.

Les mer

Etterutdanning

Cisco Continuing Education Program tilbyr alle aktive sertifiseringsinnehavere fleksible alternativer for å resertifisere ved å fullføre en rekke kvalifiserte opplæringselementer.

Les mer

Cisco Digital Learning

Sertifiserte ansatte er verdsatte eiendeler. Utforsk Ciscos offisielle digitale læringsbibliotek for å utdanne deg gjennom innspilte økter.

Les mer

Cisco Business Enablement

Cisco Business Enablement Partner Program fokuserer på å skjerpe forretningsferdighetene til Cisco Channel Partners og kunder.

Les mer

Cisco opplæringskatalog

Les mer

Fortinet Sertifisering

Fortinet Network Security Expert (NSE)-programmet er et opplærings- og sertifiseringsprogram på åtte nivåer for å lære ingeniører om nettverkssikkerheten for Fortinet FW-ferdigheter og -erfaring.

Tekniske kurs

Fortinet-opplæring

Insoft er anerkjent som Fortinet Autorisert Opplæringssenter på utvalgte steder i EMEA.

Les mer

Fortinet opplæringskatalog

Utforsk et bredt utvalg av Fortinet Schedule på tvers av forskjellige land så vel som online kurs.

Les mer

ATC-status

Sjekk atc-statusen vår på tvers av utvalgte land i Europa.

Les mer

Pakker for Fortinet-tjenester

Insoft Services har utviklet en spesifikk løsning for å effektivisere og forenkle prosessen med å installere eller migrere til Fortinet-produkter.

Les mer

Microsoft-opplæring

Insoft Services gir Microsoft opplæring i EMEAR. Vi tilbyr Microsofts tekniske opplærings- og sertifiseringskurs som ledes av instruktører i verdensklasse.

Tekniske kurs

Extreme-opplæring

Lær eksepsjonell kunnskap og ferdigheter i ekstreme nettverk.

Les mer

Teknisk sertifisering

Vi tilbyr omfattende læreplan over tekniske kompetanseferdigheter om sertifiseringsprestasjonen.

Les mer

Extreme opplæringskatalog

Tekniske kurs

ATP-akkreditering

Som autorisert opplæringspartner (ATP) sørger Insoft Services for at du får de høyeste utdanningsstandardene som er tilgjengelige.

Les mer

Løsninger og tjenester

Vi tilbyr innovativ og avansert støtte for design, implementering og optimalisering av IT-løsninger. Vår kundebase inkluderer noen av de største Telcos globalt.

Les mer

Globalt anerkjent team av sertifiserte eksperter hjelper deg med å gjøre en jevnere overgang med våre forhåndsdefinerte konsulent-, installasjons- og migrasjonspakker for et bredt spekter av Fortinet-produkter.

Om oss

Insoft Tilbyr autoriserte opplærings- og konsulenttjenester for utvalgte IP-leverandører. Finn ut hvordan vi revolusjonerer bransjen.

Les mer
  • +47 23 96 21 03
  • Security Information and Event Management (SIEM)

    20th May, 2022

    Let’s talk about SIEM. Are you having consistent challenges with responding to threats, breaches and related incidences? Do you find it increasingly draining to get to the root cause of breaches in light of the increasing numbers of attacks and related downtimes in your network? If yes, a SIEM solution is just what you may need.

    More often than not, the above pain points are brought about by a lack of collaborative efforts between the Network Operations Center (NOC) and the Security Operations Center (SOC). The NOC is primarily interested in network performance and uptime while the SOC teams are primarily focused on network security, regulations, and compliance.

    To further deepen the disconnect, they each make use of a diverse variety of tools and software that are not integrated so as to give a global view of the enterprise’s overall network. These factors introduce a complex monitoring and reporting environment which increases the likelihood that threats and breaches can go undetected for some time.

    What is SIEM software?

    Security information and event management (SIEM) software give enterprise security professionals a better handle on events within the enterprise. This is done through the collection of Security Information and Event Management (SIEM) network and security logs, in a central repository from multiple diverse sources e.g access points, active directory and database servers, routers, switches, firewalls, intrusion detection, and prevention systems, etc. SIEM is a fundamental element of a successful Cyber Resilience strategy.

    SIEM Requirements:

    A SIEM must be aware of what is attached to the network and be able to collect event and log data from all of those attached items. FortiSIEM is the only SIEM tool in the market that has a self-learning, real-time asset discovery and device configuration engine built into its platform. SIEM does parsing, data normalization and categorization on any type of device, as long as it’s able to send logs to it.

    SIEM software should have an intelligent context, such that it is able to identify the specific kinds of running devices, applications, servers, and their corresponding configurations among other data so as to add relevant context to the events and notifications. This is a critical element of ensuring the SIEM product doesn’t raise false alarms.

    SIEM software also requires that it is fed quality data for maximum yield; the bigger the data source you give it, the better it gets and the better it can see outliers.

    How SIEM works:

    SIEM software collects and aggregates log data generated throughout the enterprise’s endpoints, applications, firewalls, and antivirus filters.

    SIEM delivers on the below objectives, which are to:

    • Provide near-real-time analysis. SIEM systems focus on providing faster identification, analysis, and recovery. It could for instance help detect zero-day attacks.
    • Align enterprises with auditing and regulatory requirements e.g PCI and HIPAA. SIEM generates automated compliance reports whilst sending notifications to relevant personnel. For instance, the SIEM receives an alert from Active Directory or RADIUS stating that it has detected a Repeat Attack_Login attack (3 or more failed login attempts in 60 seconds) against one of the hosts. A notification is then sent to a security administrator.
    • Automated cross-correlation and analysis of all the raw event logs from across the entire network. A SIEM’s differentiating factor from a typical log collector is in its ability to cross-correlate data from multiple different threat feeds and system data before determining the threat level of an incident.
    • Convert security events and log data into visually appealing charts to assist in seeing patterns.
    • Enable Forensic Analysis: The ability to search across logs on different nodes and time periods based on specific criteria.

    SIEM Challenges:

    Security teams often start by chasing down a staggering amount of false alerts. False alerts are one of the most nagging challenges in implementing reliable cybersecurity initiatives. These refer to “useless” alerts that end up wasting an enterprise’s SOC teams time since they are not real threats.

    According to Cisco’s 2017 Annual Cyber Report: The Hidden Danger of Uninvestigated Threats. Only 28% of security alerts that are investigated turn out to be legitimate, from these, only 46% are remediated, meaning 54% of legitimate threats are not resolved!

    This is partly a result of the redirection of the SOC team’s effort to investigate false alerts. So how exactly can an enterprise deal with false alerts?

    Dealing with False Alerts:

    • Clearly define false alerts. If a trouble ticket is consistently created with no tangible immediate action specified, it probably is a false alert. Such alerts can be removed from the ticketing system and only included in a report.
    • Turn off the default rules that don’t apply in your environment, for instance, a SQL injection attack rule if there’s no SQL server installed in your network.
    • Finetune the rules to match your unique environment thresholds. This requires time though. After installation, monitor your environment to determine the most appropriate thresholds for various attributes, for instance, what is normal and abnormal traffic.
    • Implement a SIEM solution that has intelligent context capabilities. It should be able to cross-correlate event data from multiple feeds simultaneously and intelligently come to a reliable conclusion as to whether a threat is real or not.
    • Adjust SIEM product criticality to match your environment. Most default vendor settings are too high for most settings. This you will soon notice after having the SIEM in operation for a while. Save yourself the pain!
    • Use a high quality regularly updated threat feed and geolocation data. This will help add more context to your events and logs. For instance, if a source IP is from a known hacker cell, the criticality of such a log is increased to high. Geolocation data also helps determine whether the traffic is internal, remote or foreign traffic. Low-quality threat feeds could actually increase the number of false alerts!
    • Avoid duplication. If a firewall blocks some kind of traffic, don’t raise an alert ticket on what has already been blocked! What’s the point of having the firewall device installed in the first place?

    Proactive organizations will learn to tune the tooling over time so that the SIEM understands what are normal events and thereby reduce the number of false alerts. After getting a false alert, make an adjustment to your SIEM so that it doesn’t catch that again. Fine Tuning should be done often to reflect both internal changes e.g the commissioning and decommissioning of devices, changes in the global threat landscape, etc.

    Managing SIEM is a resource-intensive process that requires regular evaluations and adjustments to maintain optimal performance. Despite this, going without a SIEM solution isn’t the answer, because this can leave you vulnerable to attack. With this in mind, many IT professionals don’t know how to do this efficiently, thus, expert SIEM consultancy may be required.

    To develop proficiency with accurately managing SIEM products, you can sign up for an Insoft instructor-led FortiSIEM training here.

    SIEM Tools and Vendor Selection

    SIEM tools come in both paid-for commercial offerings and free open-source alternatives. Different SIEM tools draw their strength from a myriad of different features and capabilities, so it’s upon you to carefully choose one that addresses your enterprise needs.

    There are a couple of leading vendors, including Solar Winds, HPE, IBM, Splunk, Fortinet, and Intel, we also have open-source SIEM tools which are supported by the community. They are not vendor backed, hence they may not be as reliable; especially in critical enterprise-grade environments. Some of the best free open-source SIEM tools include Elasticsearch, ELK Stack, Ossim, Splunk Free and Ossec.

    FortiSIEM Case Study:

    FortiSIEM is a SIEM product manufactured by Fortinet. It offers SOC and NOC data correlation capabilities. It collects and normalizes a variety of logs, for instance, transaction, SNMP, connection, application and user logs.

    These logs are then used for IT network and security monitoring and troubleshooting, consequently enabling organizations to eliminate blind spots by monitoring and analyzing a diverse set of events from multiple sources. Organizations, therefore, get an upper hand when it comes to the identification of threats and their root causes for even more agile remediation.

    In addition to security metrics, FortiSIEM also monitors infrastructure resource utilization, application health, performance and availability metrics. The collection of all these data is done at a set polling interval. The results are converted into logs, which follow the typical SIEM processing logic. You can also read more about What is SIEM software? How it works and how to choose the right tool here.

    More Blogs for you:

    Relevant Exams: Fortinet NSE 5