There are several methods of keeping IT data processing safe and simple. One possible measure for this is Security Information and Event Management. This term is combined from SIM for the collection of IT-related information, and SEM for the collection of IT-related events. This collection point should provide a holistic overview of the IT security infrastructure and simplify Vulnerability analysis.
Sources of information SIM
Sources of information include firewalls, servers, routers, IDS / IPS, and applications. Log files and protocols are collected from these sources in order to subsequently correlate, granulate and evaluate them. There are also news reports from outside, status reports from devices and notifications about physical abnormalities, such as a fan failure in the server room. This logging runs 24/7 in the background.
Events in the SEM:
Related events should be represented graphically in order to create an improved risk report. This is to ensure that the log files collected are traceable and can also be checked retrospectively in the event of an unusual incident. For this purpose, it is recorded from which IP addresses data was accessed at certain times and which protocols or which web services are running. SIM and SEM together as SIEM offer a management solution that is adapted to the requirements and needs of the company.
Application of the SIEM:
Exceptional patterns and dangerous trends are visible in the SIEM and can be actively eliminated. This includes, for example, incorrect login attempts. Thanks to the collection of log files and the subsequent correlation and evaluation, SIEM can be used to find out whether it is just an employee who has entered his password incorrectly five times, or whether there are actually hundreds of requests per second and you may be affected by a Brute Force Attack . By granulating these log files, it is also possible to exclude false positives. Potentially affected devices can be isolated directly from the network and placed in quarantine so that if malware is infected, it cannot spread further.
Structure of the SIEM:
In order to be able to set up a SIEM, you need collected information and key figures in advance. For this purpose, the Mitre database can be used, for example, to record a collection of vullnerabilites as rules and procedures and to identify potential attacks at an early stage. Continuous improvements are made based on this.
In order to be able to use a SIEM optimally, it is recommended to use a Security Operations Center (SOC). ProSec GmbH can help you set up a SOC and advise and support you from day 1. For this purpose, a structural analysis is carried out in advance to determine your needs and to give you the best possible support. The operations of the SOC are simplified by the SIEM. This combination offers a powerful and goal-oriented solution for IT security .
Goals and tasks of the SIEM:
The aim of the SIEM is to reduce the data overhead, to save costs and to be able to better allocate the existing resources in the IT. The SIEM is also intended to ensure that reports and reviews are accessible. If required, these can be forwarded to management or the executive board. If the company is required to report (e.g. a KRITIS), these reports and reviews can also be forwarded to the BSI after a thorough internal review.