SIEM: The ABCs of Network Visibility
What is SIEM?
Security information and event management (SIEM) systems are monitoring tools that provide a holistic view of an organization’s information technology (IT) security. The underlying principle of a SIEM system is that relevant data about an enterprise’s security is produced in multiple locations and needs to be correlated. Being able to look at all the data from a single point of view makes it easier to spot trends and see patterns that are out of the ordinary. SIEM systems provide quicker identification, analysis and recovery of security events. They also allow compliance managers to confirm that they are fulfilling an organization's legal compliance requirements.
A SIEM system collects logs from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. Syslog collectors forward events to a centralized management console, which performs inspections and flags anomalies. To allow the system to identify anomalous events, it’s important that the SIEM administrator first creates a network baseline of the system under normal event conditions.
Typical Use Cases
- Log collection for Compliance - Compliance has quickly become one of the most painful headaches for IT Administrators over the past few years. Compliance audits can be a nightmare if caught unprepared but luckily, SIEM vendors have made huge strides to make it easier to monitor and maintain compliance for most major standards, including PCI, ISO, HIPAA and more.
- Correlating Security Events – SIEMs collect syslog events from many locations and devices. As a result, they can find patterns that help determine the severity and source of security events. For example, enterprise antivirus solutions have comprehensive logging capability and, when integrated with the SIEM, allow incident response to be efficient and effective. A Trojan detected and blocked on a single workstation may be less of a priority than five occurrences of the same malware detected across multiple hosts. This information can be easily correlated to other potential indicators of compromise, such as web requests to malicious sites, to help determine if a host has in-fact been compromised.
- Incident Remediation – Advanced users leverage their SIEMs to not just detect and log threats, but to remediate them automatically. For example, after a SIEM detects an anomaly based on syslog data it would then automatically reconfigure a network packet broker (NPB) to send the packet data associated with the threat to an intrusion prevention system (IPS) or packet capture tool for deeper analysis.
The following are some things to keep in mind about network visibility and SIEM solutions:
REST API – The IETF REST protocol has become a common protocol for transferring interoperability information between different devices on the network. Make sure that both the SIEMs and NPBs that you purchase support this protocol. Even though you make not be looking at the integration in the short term, you want to have options for the future.
Integration with SIEMs – Beyond a RESTful interface, make sure that the NPB has been tested (integrated) with the leading SIEM vendors. REST provides basic interoperability but vendor interoperability testing often produces a stronger, richer set of capabilities that the two products can provide in a single solution. This integration allows the SIEM to perform remediation by dynamically reconfiguring the NPB to send packets affiliated with specific SIEM detected threats to forensic recorders or other packet based security tools.
Dynamic Filtering – The NPB needs to automatically create and maintain filter rules when reconfigured by the SIEM. Otherwise other monitoring and security tools on the network will see packet drops.
More Information on SIEM and Network Visibility
More information about Ixia network performance, network security and network visibility solutions and how they can help generate the insight needed for your business is available on the Ixia website. Further information about SIEM and visibility solutions is available for these leading providers: