What Is a Cyber Attack?
Why do cyber attacks happen?
Cyber attacks have become increasingly sophisticated. The increase in such instances
every year hints at a few common motives. Some of the most reported reasons
include:
• Ransom:Cyber attacks are aimed at extracting ransom from the owner of the
device or network.
• Accessing financial details: The aim of such attacks can be to access the financial
details of the clients of a company or the company itself. This information can be
publicized or used for personal monetary benefits. It can also be used to hack one’s
bank account and drain out the cash.
Types of Cyber-attacks
What is a Security Operations Center (SOC)?
A Security Operations Center (SOC) is part of the security
team of an organization that is responsible for analyzing
and protecting the organization from cyber-attacks.
Although SOC employees work with other teams and
departments, they are usually their own independent
department.
What is a Security Operations Center (SOC)?
SOC ~ logs
Triad of soc
Q: What should a SOC monitor?
Ans: SOC tools and teams should monitor all traffic on a network from external sources. This means that every server, router, and database must be within the scope of the security operations center team.
What is SIEM’s role in the SOC?
- SIEM’s role is to provide analysts in the SOC (security operations center) with consolidated insights from analysis of event data too varied and voluminous for manual review. SIEM analysis of machine data and log files can surface malicious activity and trigger automated responses, significantly improving response time against attacks. While SOCs existed before SIEM came along, SIEM is a vital tool for the modern SOC’s mission to respond to internal and external attacks, simplify threat management, minimize risk, and achieve organization wide visibility and security intelligence.
How Does a SIEM Work?
A security event is any occurrence in a IT
environment that has the possibility of
becoming a vulnerability, or an indication that
the environment has already been exploited.
Such events include unauthorized access,
configuration changes, and abnormal user
activity. A SIEM helps interpret these events to
determine what threats pose the most risk and
how they should be prioritized.
SIM vs SEM
What is Security Information Management (SIM)?
Security Information Management (SIM) is the collection, monitoring, and analysis
of security-related data from computer logs. Also referred to as log management.
What is Security Event Management (SEM)?
Security Event Management (SEM) is the practice of network event management
including real-time threat analysis, visualization, and incident response.
Evolution of Terminology
SIM – System Information Management
• SEM – Security Event Management
• Log Management – Log file capture & storage
• SIEM – SIM & SEM
A Brief History of SIEM Tools
Gartner coined the term ‘SIEM’ (pronounced “sim”) in a 2005 report called
“Improve IT Security With Vulnerability Management.”
What Is a SIEM?
Security Information and Event Management (SIEM) is a software and solution for logging, monitoring, alerting, anticipating, correlating and visualizing security-related events and information garnered from networked devices. Plainly, SIEM is a combination of both processes and tools, or products.
How Does SIEM Work?
SIEM provides two primary capabilities to an Incident Response team:
• Reporting and forensics about security incidents
• Alerts based on analytics that match a certain rule set, indicating a security issue
– User Event Behavioral Analysis (UEBA)
– Lateral movement– attackers move through a network by using IP
addresses, credentials and machines, in search of key assets. By
analyzing data from across the network and multiple system resources,
SIEMs can detect this lateral movement.
A SIEM system not only identifies that an attack has happened, but allows you to see how and why it happened as well.
Next-Generation SIEMs
New SIEM platforms provide advanced capabilities such as:
-Lateral movement – attackers move through a network by using IP
addresses, credentials and machines, in search of key assets. By
analyzing data from across the network and multiple system
resources, SIEMs can detect this lateral movement.
-Detection without rules or signatures – many threats facing your
network can’t be captured with manually-defined rules or known
attack signatures. SIEMs can use machine learning
to detect
incidents without pre-existing definitions.
effective SIEM must address the following eight crucial use cases
What is EPS in SIEM?
Two key numbers are the amount of data generated in your network, measured in Events per Second (EPS) and Gigabytes per Day (GB/day)
Alerts & Categories
Results can be exported in PDF, Excel, and HTML. We have exported the report in PDF.
SIEM capabilities
• Log Collection
• Normalization – Collecting logs and normalizing them into a standard format)
• Notifications and Alerts– Notifying the user when security threats are identified
• Security Incident Detection
Visibility
SIEM tools provide:
•Real-time visibility across an organization’s
information security systems.
•Event log management that consolidates data from numerous sources.
•A correlation of events gathered from different
logs or security sources, using if-then rules that add intelligence to raw data.
•Automatic security event notifications. Most SIEM systems provide dashboards for security issues and other methods of direct notification.
Event log source
SOC Tiers
Monitoring
24/7/365 Monitoring
Monitoring involves checking systems for cyber security threats and usually involves using specialized cyber security tools to pick up suspicious patterns. These cyber security tools link into a centralized management system with dashboards that provide any alerts to suspicious activities and patterns.
Incident Management
Incident management is dealing with the alerts to suspicious activities and patterns, involving trying to determine firstly the criticality of the threat and then running through various incident management processes to try to neuter the threat. The processes generally involve people to manage them and technology to help pinpoint more information about the threats and try to stop it in it’s wake.
Abnormal Behaviors
SIEM’s visibility capabilities help shed light on your users and third parties. With SIEM, you can establish behavioral baselines for each user, device, application, and third party as they conduct their business workflows. If they deviate from these behaviors—as in an insider threat or credentials compromise—your SIEM solution can detect it. Then it can alert your IT security team or freeze the activity or user in more severe cases.
Managed SOC vs Dedicated SOC
1-Dedicated or Internal SOC
The enterprise sets up its own cybersecurity team within its
workforce.
2-Managed SIEM – third-party MSSP -service provider
This can be beneficial for organizations who can ill afford the high costs of SIEM
combined with the in-house expertise to manage it.
That being said, this also throws in issues around privacy as the data passing
into the SIEM is always going to be quite sensitive. It could contain not only
details of individuals in the organizations but also details of systems feeding into
the SIEM and secret information related to a company’s activities.
2020 Gartner Magic Quadrant for SIEM
Miter Attack & Cyber Kill Chain Framework
References
- Security Information and Event Management (SIEM) Reviews and Ratings
https://www.gartner.com/reviews/market/security-information-event-management - Use of Machine Learning Algorithms with SIEM for Attack Prediction
https://www.researchgate.net/publication/
283835962_Use_of_Machine_Learning_Algorithms_with_SIEM_for_Attack_Prediction - 2020 Gartner Magic Quadrant for SIEM
https://www.rsa.com/en-us/offers/2020-gartner-magic-quadrent-siem - What is SIEM?
https://www.exabeam.com/siem-guide/what-is-siem/ - What is a Security Operations Center (SOC)?
https://www.varonis.com/blog/security-operations-center-soc/
6 .10 Best SIEM Tools of 2021: Vendors & Solutions Ranked
https://www.comparitech.com/net-admin/siem-tools/ - Advanced Threat Detection With Modern SIEM Solutions
https://www.innominds.com/blog/advanced-threat-detection-with-modern-siem-solutions
8.Certified Threat Intelligence Analyst (CTIA)
https://www.testpreptraining.com/tutorial/certified-threat-intelligence-analyst-exam
