Transcription
TheESSENTIALGUIDE TOSIEM
Learn SecurityInformationand EventManagementThe SIEM is a foundational technology of thesecurity operations center (SOC). SIEMs havebeen around for decades, but a new generation isemerging with new capabilities like data sciencedriven anomaly detection and incident responseautomation.Learn everything about SIEMs, past, present andfuture—architecture, what’s under the hood, andusing SIEMs in the field to detect incidents anddefend organizations.
ContentsCH01CH05CH09What is SIEM?SIEM Use CasesComponents, best practices, andnext-gen capabilitiesBeyond alerting and compliance—SIEMs forinsider threats, threat hunting and IoTEvaluating and Selecting SIEMTools - A Buyer’s GuideCH02CH06CH10SIEM ArchitectureSIEM AnalyticsSIEM Essentials QuizHow SIEMs are built, how they generate insights,and how they are changingFrom correlation rules and attack signatures toautomated detection via machine learningSIEM Essentials QuizCH03CH07Events and LogsIncident Response and AutomationSIEM under the hood—the anatomy of securityevents and system logsSecurity orchestration, automation and response(SOAR)—the future of incident responseCH04CH08UEBAThe SOC, SecOps and SIEMUser and entity behavior analytics detectsthreats other tools can’t seeA comprehensive guide to the modern SOC—SecOps and next-gen techEvaluation criteria, build vs. buy, cost considerationsand compliance3exabeam.com // The Exabeam 2018exabeam.comCyber Security// TheProfessionalsEssential GuideSalaryto SIEMand Job Report3
01What is SIEM?Security information and event management (SIEM) solutions use rules and statisticalcorrelations to turn log entries, and events from security systems, into actionableinformation. This information can help security teams detect threats in real time, manageincident response, perform forensic investigation on past security incidents, and prepareaudits for compliance purposes.The term SIEM was coined in 2005 by Mark Nicolettand Amrit Williams, in Gartner’s SIEM report,Improve IT Security with Vulnerability Management.They proposed a new security information system, onthe basis of two previous generations. Security information management (SIM) – a firstgeneration, built on top of traditional log collectionand management systems. SIM introduced long-termstorage, analysis, and reporting on log data, andcombined logs with threat intelligence. Security event management (SEM) – a secondgeneration, addressing security events—aggregation,correlation and notification for events from securitysystems such as antivirus, firewalls and intrusiondetection systems (IDS), as well as events reporteddirectly by authentication, SNMP traps, servers,databases etc.In the years that followed, vendors introduced systemsthat provided both security log management andanalysis (SIM) and event management (SEM), to createSIEM solutions.SIEM platforms can aggregate both historical log dataand real-time events, and establish relationshipsthat can help security staff identify anomalies,vulnerabilities and incidents.The main focus is on security-related incidents andevents, such as succeeded or failed logins, malwareactivities or escalation of privileges.These insights can be sent as notifications or alerts,or discovered by security analysts using the SIEMplatform’s visualization and dashboarding tools.Next-gen SIEMSIEM is a mature technology, and the nextgeneration of SIEMs provide new capabilities: User and entity behavior analytics (UEBA)– advanced SIEMs go beyond rules andcorrelations, leveraging AI and deep learningtechniques to look at patterns of humanbehavior. This can help detect insider threats,targeted attacks, and fraud. Security orchestration, automation andresponse (SOAR) – next-gen SIEMs integratewith enterprise systems and automateincident response. For example, the SIEMmight detect an alert for ransomware andperform containment steps automaticallyon affected systems, before the attacker canencrypt the data.4exabeam.com // The Exabeam 2018exabeam.comCyber Security// TheProfessionalsEssential GuideSalaryto SIEMand Job Report4
01WHAT IS SIEM?020304050607080910What Can a SIEM Help With?Components and CapabilitiesData aggregationThreat intelligence feedsCorrelationAggregates data from network, security,servers, databases, applications, and othersecurity systems like firewalls, anti virus andintrusion detection systems (IDS)Combines internal data with threatintelligence feeds containing data onvulnerabilities, threat actors andattack patternsLinks events and related data intomeaningful bundles which represent a realsecurity incident, threat, vulnerability orforensic findingAnalyticsAlertingDashboards and visualizationsUses statistical models and machine learningto identify deeper relationships between dataelements, and anomalies compared to knowntrends, and tie them to security concernsAnalyzes events and sends out alerts tonotify security staff of immediate issues,either by email, other types of messaging, orvia security dashboardsCreates visualizations to allow staff to reviewevent data, see patterns and identify activitythat does not conform to standard patternsComplianceRetentionThreat huntingAutomates the gathering of compliance data,producing reports that adapt to security,governance and auditing processes forstandards like HIPAA, PCI/DSS, HITECH, SOXand GDPRStores long-term historical data to enableanalysis, tracking, and data for compliancerequirements. Especially important inforensic investigations, which happen afterthe factAllows security staff to run queries on SIEMdata, filter and pivot the data, to proactivelyuncover threats or vulnerabilitiesIncident responseSOC automationProvides case management, collaborationand knowledge sharing around securityincidents, allowing security teams to quicklysynchronize on the essential data andrespond to a threatIntegrates with other security solutions usingAPIs, and lets security staff define automatedplaybooks and workflows that should beexecuted in response to specific incidentsexabeam.com // The Essential Guide to SIEM5
01WHAT IS SIEM?020304050607080910How SIEM WorksPresent and FutureIn the past, SIEMs required meticulous management at every stage of the data pipeline—data ingestion, policies, reviewing alerts and analyzing anomalies. Increasingly, SIEMs aregetting smarter at pulling data together, from ever more organizational sources, and using AItechniques to understand what type of behavior constitutes a security incident.01020304Data collectionData storagePolicies and rulesMost SIEM systems collect databy deploying collection agents onend-user devices, servers, networkequipment, or other security systemslike firewalls and antivirus, orvia protocols syslog forwarding,SNMP or WMI. Advanced SIEMs canintegrate with cloud services toobtain log data about cloud-deployedinfrastructure or SaaS applications,and can easily ingest other nonstandard data sources.Traditionally, SIEMs relied on storagedeployed in the data center, whichmade it difficult to store and managelarge data volumes.The SIEM allows security staff todefine profiles, specifying howenterprise systems behave undernormal conditions.Data consolidation andcorrelationAs a result, only some log data wasretained. Next-generation SIEMsare built on top of modern data laketechnology such as Amazon S3 orHadoop, allowing nearly unlimitedscalability of storage at low cost.This makes it possible to retain andanalyze 100% of log data across evenmore platforms and systems.They can then set rules andthresholds to define what type ofanomaly is considered a securityincident. Increasingly, SIEMs leveragemachine learning and automatedbehavioral profiling to automaticallydetect anomalies, and autonomouslydefine rules on the data, to discoversecurity events that requireinvestigation.Pre-processing may happen at edgecollectors, with only some of theevents and event data passed tocentralized storage.The central purpose of a SIEM is topull together all the data and allowcorrelation of logs and events acrossall organizational systems.An error message on a server can becorrelated with a connection blockedon a firewall, and a wrong passwordattempted on an enterprise portal.Multiple data points are combinedinto meaningful security events, anddelivered to analysts by notificationsor dashboards. Next-gen SIEMs aregetting better and better at learningwhat is a “real” security event thatwarrants attention.exabeam.com // The Essential Guide to SIEM6
01WHAT IS SIEM?020304050607080910What are SIEMs Used For01020304Security monitoringAdvanced threat detectionSIEMs help with real-time monitoringof organizational systems forsecurity incidents.SIEMs can help detect, mitigate andprevent advanced threats, including:Forensics and incidentresponseCompliance reporting andauditingSIEMs can help security analystsrealize that a security incidentis taking place, triage the eventand define immediate steps forremediation.SIEMs can help organizations proveto auditors and regulators that theyhave the proper safeguards in placeand that security incidents are knownand contained.Even if an incident is known tosecurity staff, it takes time to collectdata to fully understand the attackand stop it – SIEM can automaticallycollect this data and significantlyreduce response time. When securitystaff discover a historic breach orsecurity incident that needs to beinvestigated, SIEMs provide richforensic data to help uncover the killchain, threat actors and mitigation.Many early adopters of SIEMs usedit for this purpose – aggregating logdata from across the organizationand presenting it in audit-readyformat. Modern SIEMs automaticallyprovide the monitoring and reportingnecessary to meet standards likeHIPAA, PCI/DSS, SOX, FERPA andHITECH.A SIEM has a unique perspective onsecurity incidents, because it hasaccess to multiple data sources – forexample, it can combine alerts froman IDS with information from anantivirus product. It helps securityteams identify security incidentsthat no individual security tool cansee, and help them focus on alertsfrom security tools that have specialsignificance. Malicious insiders – a SIEM canuse browser forensics, networkdata, authentication and other datato identify insiders planning orcarrying out an attack Data exfiltration (sensitive dataillicitly transferred outside theorganization) – a SIEM can pick updata transfers that are abnormal intheir size, frequency or payload Outside entities, includingadvanced persistent threats(APTs) – a SIEM can detect earlywarning signals indicating thatan outside entity is carrying outa focused attack or long-termcampaign against the organizationexabeam.com // The Essential Guide to SIEM7
WHAT IS SIEM?01020304050607080910SIEM Best PracticesThe Infosec Institute suggests 10 best practices for successfulimplementation of a SIEM platform.Defining SIEM requirements: Define requirements for monitoring, reporting andauditing, consulting all relevant stakeholders beforedeploying a SIEM. Determine the scope of the SIEM – which parts ofthe infrastructure it will cover, necessary credentials,and log verbosity. Define audit data accessibility, retention, how toachieve data integrity, evidentiary rules, and disposalfor historical or private data.Ensure you leverage the SIEM to monitorand report on all of the following: Access monitoring – transgression and anomalousaccess to key resources Malware defense – violations, threats, or activityregarding malware controls Perimeter defenses – status of perimeter defenses,possible attacks and risky configuration changes Application defenses – status, configurationchanges, violations and anomalies for web servers,databases and other web app resources Resource integrity – critical network resources –status, backups, change management, threats andvulnerabilities Acceptable use – status, issues and violationsregarding acceptable, mandated or metered use ofsystem resources Intrusion detection – incidents reported by intrusiondetection, or correlated/inferred using SIEM dataexabeam.com // The Essential Guide to SIEM8
01WHAT IS SIEM?020304050607080910SIEM Evolution200520102017GENERATION IGENERATION IIGENERATION IIIEarly SIEMBig Data SIEMAutomation andMachine LearningEarly SIEMs had limited ability to proactivelywarn about and react to complex securityevents. New SIEMs perform automatedbehavioral profiling (UEBA), and canautomatically interact with IT and securitysystems to mitigate incidents (SOAR).The first SIEMs combined security informationmanagement (SIM) and security eventmanagement (SEM). They were limitedin scale of data managed and supportedalerting/visualizations.An integrated SIEM based on big datainfrastructure, managing and correlatinghistorical log data, real-time events and threatintelligence in one place—providing a holisticview of enterprise security data.SCALABILITYSCALABILITYScales verticallyScales horizontally, supporting big dataHISTORIC DATAHISTORIC DATAPartialFull, with some filteringHISTORIC DATADATA COLLECTIONDATA COLLECTIONSlow manual ingestion of log dataAutomated ingestion, data sources limitedUnlimited historic retention including new datasources like the cloudTHREAT DETECTIONTHREAT DETECTIONManual analysis and alerts based on manual rulesManual analysis, alerts and dashboardsINCIDENT RESPONSEINCIDENT RESPONSELittle or no interface with downstream systemsLimited interface with downstream systemsAutomated, based on machine learning andbehavioral profilingDASHBOARDS AND VISUALIZATIONSDASHBOARDS AND VISUALIZATIONSVery limitedTypically limited set of pre-built visualizationsINCIDENT RESPONSESCALABILITYBased on data lake, unlimited scaleDATA COLLECTIONAutomated ingestion of any data sourceTHREAT DETECTIONIntegrates with IT and security tools, full SOARcapabilitiesDASHBOARDS AND VISUALIZATIONSFull business intelligence (BI) data explorationexabeam.com // The Essential Guide to SIEM9
01WHAT IS SIEM?020304050607080910Next-Generation SIEMsThe Future is HereNew SIEM platforms provide advancedcapabilities such as: Complex threat identification – correlation rules can’tcapture many complex attacks, because they lackcontext, or can’t respond to new types of incidents.With automatic behavioral profiling, SIEMs can detectbehavior that suggests a threat. Lateral movement – attackers move through anetwork by using IP addresses, credentials andmachines, in search of key assets. By analyzingdata from across the network and multiple systemresources, SIEMs can detect this lateral movement. Entity behavior analysis – critical assets on thenetwork such as servers, medical equipment ormachinery have unique behavioral patterns. SIEMscan learn these patterns and automatically discoveranomalies that suggest a threat. Detection without rules or signatures – manythreats facing your network can’t be captured withmanually-defined rules or known attack signatures.SIEMs can use machine learning to detect incidentswithout pre-existing definitions.An example of a next-generation SIEM is theExabeam Security Management Platform (SMP),which combines behavioral analytics based onmachine learning, cloud connectors, a flexibledata lake infrastructure, incident responseand threat hunting capabilities. Learn more atexabeam.com/product Automated incident response – once a SIEM detects acertain type of security event, it can execute a preplanned sequence of actions to contain and mitigatethe incident. SIEMs are becoming full SOAR tools.exabeam.com // The Essential Guide to SIEM10
02SIEM Architecture:Technology, Processand DataIn this chapter of the Essential Guide to SIEM, weexplain how SIEM systems are built, how theygo from raw event data to security insights, andhow they manage event data on a huge scale.We cover both traditional SIEM platforms andin newer SIEM architecture based on data laketechnology.Security information and event management (SIEM)platforms collect log and event data from security systems,networks and computers, and turn it into actionablesecurity insights. SIEM technology can help organizationsdetect threats that individual security systems cannotsee, investigate past security incidents, perform incidentresponse and prepare reports for regulation andcompliance purposes.In this chapter you will learn: The log management process – data collection, datamanagement and historic log retention The log flow – from millions of events to a handful ofmeaningful alerts SIEM log sources – security systems, networkdevices, cloud systems and more SIEM hosting models – self-hosted self-managed,cloud-hosted, self-managed, hybrid-managed, andfully-managed SIEM sizing – event velocity, calculating events persecond (EPS) and total event volume, hardwarerequirements and deployment options, includingdata lake SIEM outputs – reporting, dashboards, andvisualizations and advanced analyticsexabeam.com // The Essential Guide to SIEM11
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA0102030405060708091012 Components and Capabilitiesin a SIEM Architecture01050911Data aggregationAlertingForensic analysisIncident responseCollects and aggregates data fromsecurity systems and networkdevicesAnalyzes events and sends alertsto notify security staff of immediateissuesEnables exploration of log and eventdata to discover details of a securityincidentHelps security teams identify andrespond to security incidents,bringing in all relevant data rapidly02061012Threat intelligence feedsDashboardsThreat huntingSOC automationCombines internal data withthird-party data on threats andvulnerabilitiesCreates visualizations to let staffreview event data, identify patternsand anomaliesEnables security staff to run querieson log and event data to proactivelyuncover threats0307Advanced SIEMs can automaticallyrespond to incidents butorchestrating security systems,known as security orchestration,automation and response (SOAR)Correlation and securitymonitoringComplianceLinks events and related data intosecurity incidents, threats orforensic findingsGathers log data for standards likeHIPAA, PCI/DSS, HITECH, SOX andGDPR and generates reports0804Analyticsuses statistical models andmachine learning to identify deeperrelationships between data elementsRetentionStores long-term historical data,useful for compliance and forensicinvestigationsexabeam.com // The Essential Guide to SIEM12
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA01020304050607080910The Log Management ProcessA SIEM server, at its root, is a log management platform. Log management involves collectingthe data, managing it to enable analysis, and retaining historical data.Data CollectionData ManagementSIEMs collect logs and events from hundreds of organizational systems (for a partiallist, see Log Sources below). Each device generates an event every time somethinghappens, and collects the events into a flat log file or database. The SIEM can collectdata in four ways:SIEMs, especially at large organizations, can storemind-boggling amounts of data. The data needs to be:01. Via an agent installed on the device (the most common method)02. By directly connecting to the device using a network protocol or API call03. By accessing log files directly from storage, typically in Syslog format04. Via an event streaming protocol like SNMP, Netflow or IPFIXThe SIEM is tasked with collecting data from the devices, standardizing it and saving itin a format that enables analysis. Stored – either on-premises, in the cloud or both Optimized and indexed – to enable efficient analysisand exploration Tiered – hot data necessary for live securitymonitoring should be on high performance storage,whereas cold data, which you may one day wantto investigate, should be relegated to high-volumeinexpensive storage mediumsNext-gen SIEMNext-gen SIEMNext-generation SIEMs come pre-integrated with common cloud systemsand data sources, allowing you to pull log data directly. Many managed cloudservices and SaaS applications do not allow you to install traditional SIEMcollectors, making direct integration between SIEM and cloud systems criticalfor visibility.Next-generation SIEMs are increasingly basedon modern data lake technology such asAmazon S3, Hadoop or Elasticsearch, enablingpractically unlimited data storage at low cost.exabeam.com // The Essential Guide to SIEM13
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATALog RetentionIndustry standards like PCI DSS, HIPAA and SOX require that logs be retained forbetween one and seven years. Large enterprises create a very high volume of logsevery day from IT systems (see SIEM Sizing below). SIEMs need to be smart aboutwhich logs they retain for compliance and forensic requirements. SIEMs use thefollowing strategies to reduce log volumes: Syslog servers – Syslog is a standard which normalizes logs, retaining onlyessential information in a standardized format. Syslog lets you compress logs andretain large quantities of historical data. Deletion schedules – SIEMs automatically purge old logs that are no longer neededfor compliance. By accessing log files directly from storage, typically in Syslogformat. Log filtering – not all logs are really needed for the compliance requirementsfaced by your organization, or for forensic purposes. Logs can be filtered by sourcesystem, times, or by other rules defined by the SIEM administrator.01020304050607080910Next-gen SIEMHistoric logs are not only useful for complianceand forensics. They can also be used for deepbehavioral analysis. Next-generation SIEMsprovide user and entity behavior analytics(UEBA) technology, which uses machinelearning and and behavioral profiling tointelligently identify anomalies or trends, even ifthey weren’t captured in the rules or statisticalcorrelations of the traditional SIEMs.Next-generation SIEMs leverage low-costdistributed storage, allowing organizationsto retain full source data. This enables deepbehavioral analysis of historic data, to catch abroader range of anomalies and security issues. Summarization – log data can be summarized to maintain only important dataelements such as the count of events, unique IPs, etc.exabeam.com // The Essential Guide to SIEM14
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA01020304050607080910The Log FlowA SIEM captures 100% of log data from across your organization. But then datastarts to flow down the log funnel, and hundreds of millions of log entries can bewhittled down to only a handful of actionable security alerts.SIEMs filter out noise in logs to keep pertinent data only. Then they index and optimize the relevantdata to enable analysis. Finally, around 1% of data, which is the most relevant for your securityposture, is correlated and analyzed in more depth. Of those correlations, the ones which exceedsecurity thresholds become security alerts.exabeam.com // The Essential Guide to SIEM15
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATASIEM Logging SourcesWhich organizational systems feed their logs to the SIEM?And which other business data is of interest to a SIEM?Security Events Intrusion detectionsystemsNetwork Logs010203040506070809Next-gen SIEMUntil recently SIEMs couldn’t access log and event data from cloudinfrastructure like AWS or Microsoft Azure, or SaaS applications likeSalesforce and Google Apps. This created a huge blind spot in securitymonitoring. Some next-generation solutions come with pre-built connectorsand SIEM integrations with modern cloud technology.Applications andDevicesIT Infrastructure Routers Application servers Configuration Switches Databases Locations Endpoint security(antivirus, anti-malware) DNS servers Intranet applications Owners Data loss prevention Wireless access points Web applications Network maps VPN concentrators WAN SaaS applications Vulnerability reports Web filters Data transfers Cloud-hosted servers Software inventory Honeypots Private cloud networks End-user laptops ordesktops Firewalls10 Mobile devicesexabeam.com // The Essential Guide to SIEM16
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA01020304050607080910SIEM Deployment ModelsThere are many deployment options to consider for SIEM. Here,we look at four common ones.IN HOUSEMSSPTraditional SIEMCloud SIEM, Self-ManagedThis is the traditional SIEM deployment model—host the SIEM in your datacenter, often with a dedicated SIEM appliance, maintain storage systems,and manage it with trained security personnel. This model made SIEM anotoriously complex and expensive infrastructure to maintain.You handle: Correlation, analysis, alerting and dashboards, securityprocesses leveraging SIEM data.MSSP handles: Receiving events from organizational systems,collection and aggregation.exabeam.com // The Essential Guide to SIEM17
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATAIN HOUSE010203040506MSSP07080910MSSPSelf-Hosted, Hybrid-ManagedSIEM as a ServiceYou handle: Purchasing software and hardware infrastructure.You handle: Defining program goals.MSSP together with your security staff: Deploying SIEM event collection /aggregation, correlation, analysis, alerting and dashboards.MSSP handles: Event collection, aggregation, correlation, analysis,alerting and dashboards.exabeam.com // The Essential Guide to SIEM18
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA01020304050607080910Which Hosting Model is Right for You?The following considerations can help you select aSIEM deployment model: Do you have an existing SIEM infrastructure? If you’ve already purchased thehardware and software, opt for self-hosted self-managed, or leverage an MSSP’sexpertise to jointly manage the SIEM with your local team. Do you have security staff with SIEM expertise? The human factor is crucial ingetting true value from a SIEM. If you don’t have trained security staff, rent theanalysis services via a hybrid-managed or SIEM as a Service model. Are you able to move data off-premises? If so, a cloud-hosted or fully managedmodel can reduce costs and management overhead.exabeam.com // The Essential Guide to SIEM19
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA01020304050607080910SIEM Sizing: Velocity, Volume andHardware RequirementsA majority of SIEMs today are deployed on-premises. This requires organizations tocarefully consider the size of log and event data they are generating, and the systemresources required to manage it.Calculating Velocity: Events Per Second (EPS)A common measure of velocity is EPS, defined as:A Simple Model for Predicting EPS During Normaland Peak Times01. Measure Normal EPS and Peak EPS, by looking at 90 days of data for thetarget system# OF SECURITY EVENTS EPS02. Estimate the Number of Peaks per DayTIME PERIOD IN SECONDS03. Estimate the Duration in Seconds of a Peak, and by extension, Total PeakSeconds per DayEPS can vary between normal and peak times. For example, a Cisco router mightgenerate 0.6 EPS on average, but during peak times, such as during an attack, it cangenerate as many as 154 EPS.04. Calculate Total Peak Events per Day (Total Peak Seconds per Day) * Peak EPSAccording to the SIEM Benchmarking Guide by the SANS Institute, organizationsshould strike a balance between normal and peak EPS measurements. It’s notpractical, or necessary, to build a SIEM to handle peak EPS for all network devices,because it’s unlikely all devices will hit their peak at once. On the other hand, youmust plan for crisis situations, in which the SIEM will be most needed.05. Calculate Total Normal Events per Day (Total Seconds – Total Peak Secondsper Day) * Normal EPSThe sum of these two numbers is the total estimated velocity.In addition, the SANS guide recommends adding: 10% for headroom 10% for growthSo that the final number of events per day will be:(Total Peak Events per Day Total Normal Events per Day)* 110% headroom * 110% growthexabeam.com // The Essential Guide to SIEM20
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA01020304050607080910Calculating Velocity: Events Per Second (EPS)The following table, provided by SANS, shows typical average EPS (normal EPS) andpeak EPS for selected network devices. The data is several years old but can provideballpark figures for your initial estimates.Storage NeedsA rule of thumb is that an average event occupies 300 bytes. So for every1,000 EPS (86.4 million events per day), the SIEM needs to store:Source: SANS InstituteIn order to size your SIEM, conduct an inventory of the devices you intend to collectlogs from. Multiply the number of similar devices by their estimated EPS, to get a totalnumber of Events Per Day across your network.exabeam.com // The Essential Guide to SIEM21
SIEM ARCHITECTURE: TECHNOLOGY, PROCESS AND DATA01020304050607080910Hardware SizingAfter you determine your event velocity and volume, consider thefollowing factors to size hardware for your SIEM: Storage format – how will files be stored? Using a flat file format, a relationaldatabase or an unstructured data store like Hadoop? Storage deployment and hardware – is it possible to move data to the cloud? Ifso, cloud services like Amazon S3 and Azure Blob Storage will be highly attractivefor storing most SIEM data. If not, consider what storage resources are availablelocally, and whether to use commodity storage with Hadoop or NoSQL DBs, or highperformance storage appliances. Log compression – what technology is available to compress log data? Many SIEMvendors advertise compression ratios of 1:8 or more. Encryption – is there a need to encrypt data as it enters the SIEM data store?Determine software and hardware requirements. Hot storage (short-term data) – needs high performance to enable real timemonitoring data analysis. Long-term storage (data retention) - needs high volume, low cost storage media toenable maximum retention of historic data. Failover and backup – as a mission critical system, the SIEM should be built withredundancy, and be backed by a clear business continuity plan.exabeam.com // The Essential Guide to SIE
SIEM Use Cases Beyond alerting and compliance—SIEMs for insider threats, threat hunting and IoT CH09 Evaluating and Selecting SIEM Tools - A Buyer's Guide Evaluation criteria, build vs. buy, cost considerations and compliance CH02 SIEM Architecture How SIEMs are built, how they generate insights, and how they are changing CH06 SIEM Analytics
