Security Information and Event Management (SIEM)

(OBJ .)

A solution for real-time or near-real-time analysis of security alerts generated by network hardware and applications
SIEM helps correlate various events and incidents from system logs

Critical for security assurance
Logs should be reviewed regularly and routinely, not just after an incident or as part of an instant response

Correlates and analyzes log data
Consolidates data from various systems into a centralized database or repository
Detects patterns indicating security threats
Generates alerts for security teams to investigate

Agent-Based
- Software agents are installed on each system to collect and send log data
- Provides real-time data and detailed information
Agentless
- Log data is collected directly from systems using standard protocols
- Reduces maintenance but may not collect real-time or detailed data

Splunk
- Big data information gathering and analysis tool
- Offers connectors for various data systems
- Provides search processing language for data analysis
- Comes with pre-configured templates and dashboards
ELK (Elastic Stack)
- A collection of free and open-source SIEM tools, including the following
  - Elasticsearch
  - Logstash
  - Kibana
  - Beats
- Components work together for log collection, storage, analysis, and visualization
- If available, look at Elastic CTF
ArcSight
- SIEM log management and analytics software
- Suitable for compliance reporting for regulations like HIPAA, SOX, and PCI DSS
QRadar
- A SIEM log management, analytics, and compliance reporting platform created by IBM
- Offers a dashboard for data visualization and analysis