Danny's Newsletter

Share this post

Danny's Newsletter
Danny's Newsletter
SIEM: A Deep Dive into SIEM Platforms
Copy link
Facebook
Email
Notes
More

SIEM: A Deep Dive into SIEM Platforms

Danny
Sep 25, 2023
2

Share this post

Danny's Newsletter
Danny's Newsletter
SIEM: A Deep Dive into SIEM Platforms
Copy link
Facebook
Email
Notes
More
Share

As mentioned in a previous post for this series, there are several tools that we utilize in the field of Cybersecurity.

The SIEM is one of them.

Security Information and Event Management (SIEM) is a comprehensive solution that can provide real-time analysis of security alerts generated, which then are actioned upon. It collects and aggregates log data, and provides reporting, alerting, and dashboards for security teams.

Before the SIEM, security teams had to deal with large amounts of data sources and logs, with no central point to operate out of.

Here are a few defined use cases for SIEMs.

Use Cases:

  1. Threat Detection: SIEM systems can show patterns and anomalies in log data that might indicate a security threat, allowing organizations to detect threats in near real-time.

  2. Incident Response: When a security incident occurs, a SIEM can provide detailed information about the event, helping security teams respond more effectively.

  3. Forensic Analysis: In the aftermath of a security incident, a SIEM can be used to perform forensic analysis to understand the incident's cause and impact. With the team retro-hunting, to form a timeline of events.

  4. User Monitoring: SIEM can track user activities across various systems, helping organizations detect insider threats or misuse of privileges.

Snippet of Some SIEM Queries:

  1. source:firewall action:deny count:>100 - This query might be used to detect a potential DDoS attack by identifying more than 100 denied actions from a firewall.

  2. source:database action:login status:failed - Detect failed login attempts on a database which could indicate a brute force attack.

  3. sourcetype=endpoint action=download file=*.exe
    | table timestamp, src_ip, username

    - Monitor endpoints for any executable files being downloaded, which could be a sign of data exfiltration.

Thank you for reading Danny's Newsletter. If you are enjoying this post feel free to share it.

Share

Here’s a table outlining some of the most popular SIEMs on the market

You have a mix of Commercial and open-source tools here. From this table, AlienVault, ElasticSearch a.k.a ELK Stack are open-source, with Gravwell having open-source components.

For years, Splunk has been the market leader in this category of SIEM. It will be interesting to see what happens with the Cisco acquisition. $28B!

With the shift happening towards data lakes, cloud native, and larger amounts of data than ever who knows who will be the next market leader. Time will tell.

Conclusion

In the evolving landscape of Cybersecurity, there are many tools to the trade.
SIEM has been steady for years as a critical tool that is leveraged by Security teams.

By learning the intricacies of these tools, and playing around with them yourself, you will build your knowledge base and be able to add this to your toolbox.

Thanks for reading my Newsletter! Subscribe (free) to receive new posts & support my work.

2

Share this post

Danny's Newsletter
Danny's Newsletter
SIEM: A Deep Dive into SIEM Platforms
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Danny
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More