Security Information and Event Management (SIEM) has been deployed for various customers from different industries by our company for long time. Each time we put great emphasis on customer´s specifics. SIEM is evolutionary integration of two different technologies: Security Event Management – SEM (designed primarily for security event logging, filtered by security relevancy) and Security Information Management – SIM (primarily for data normalization and security events correlation seeking).
The solution includes set of technologies for: event collection and aggregation, report parsing and normalization, report aggregation and correlation, information analysis based on reports or global security situation evaluation. Security-relevant report source is most of the time log data in files, database, Windows Event log and similar. It is possible to retrieve them via syslog, SNMP, NetFlow, specific web-service API, etc.
SIEM solutions enables to collect and processes report from wide variety of devices, in particular: operating systems, network firewalls, database systems, anti-malware SW, specialized security solutions (Intrusion Protection Systems – IPS, Database Activity Monitoring – DAM, Web Application Firewall – WAF and so on), infrastructure monitoring systems, reference data sources about user identities and various others.
Our solutions are specialized to focus on security relevant reports important for security monitoring.
Such integration requires detailed analysis of logging possibility and customisation of application, changes in configuration and usually also re-coding the application to make it compliant with SIEM process.
Policy Compliance Engine (PCE) is our in-house developed device enabling to define priorities of security monitoring (important user or operations, time aspects and others) and take into account usual operation characteristics. PCE cross-references each report with is baseline information and immediately evaluates received information resulting in more complex initial report.
Baseline is a set of information enabling to set priorities of monitoring (important users or operations) and to certain extent characteristics of usual activities (relations between Baseline objects themselves and to focused objects). Baseline itself (model describing required state) has following advantages: Easy-to-use data filling (importing .xls for example), secures baseline data protection from violation and it is possible to be defined by independent party (by audit for example).
Real-time comparison of each report with baseline and divergence highlighting
does not affect the running monitored application.
There are two categories: Focus level (easy identification) and Violation (to detect the divergences from set behaviour). Focus level is characterized by importance of user activity, operations on important objects. Violations secure: Detections of improper use of environment by user, improper use of terminal, improper use of operation or detection of use operation in improper environment.
Ability to enrich the report with referential data (Identity Management for example).
This modified report is than sent to SIEM solution, where it is possible for example: to easily filter events of privileged users, automatic detection of “segregation of duties” violation, automatic detection of organization rules violation or to analyse events based on referential data.