[ManageEngine] what is Siem

SIEM On behalf of the security 、 Information and event management （ Security,Information, andEventManagement）.SIEM Technology will log data 、 Security alerts and events are aggregated into a centralized platform , For safety monitoring ​​ For real-time analysis .

SIEM Include ：

• Security information management (SIM): SIM A collection involving all network activities . This includes slave servers 、 A firewall 、 domain controller 、 Router 、 The log data collected by the database and network stream , And unstructured data in the network , E-mail . Two techniques can be used to collect log data , That is, agent-free collection and agent-based collection .
• Agent based log collection ： This approach requires an agent to be deployed on each device . Agent collects logs , Then return the log to SIEM The server analyzes and filters it before . This technology is mainly used in closed and secure networks , For example, the demilitarized zone with limited communication (DMZ).
• Agentless log collection ： This is a more common method ,SIEM The server uses a secure communication channel ( For example, a specific port using a security protocol ) Automatically collect logs generated by the device .
• Security incident management (SIEM): SIEM It refers to the analysis of collected data . Use a variety of techniques to analyze data , Send alarm , and / Or start the workflow for any abnormal behavior .

The analysis process includes :

1. Log Association ： Analyze all collected data , And correlate the logs , To detect any attack patterns . Log data can also be associated with threat sources , To test compromise indicators (IOC).
2. Threat Intelligence ： Context threat information is used to detect any intrusion in the network 、 Lateral movement or data leakage .
3. User behavior analysis based on machine learning ： Machine learning algorithms and analysis tools can form a baseline for user behavior patterns . If the behavior deviates ,SIEM The solution will detect an exception , sound the alarm , Timely take precautions against security threats .

The data obtained by the above technology will be presented in the form of bar chart or pie chart , This makes IT Security administrators can be faster 、 Making decisions easier .

SIEM Classic application scenarios for brute force cracking ：

Enter the incorrect network access password five times in one minute . This is considered a low priority attack , Because the user may have entered the wrong password many times .
Now think about what happens if you type 240 Wrong password for times . Then this is most likely a violent attack , Hackers are trying to crack your account .

SIEM How to trigger the alarm ：

• Enter the wrong password within one minute n Times will show ： Login failed , event ID 4625
• stay n Entering the correct password after failed attempts will display ： Login successful , event ID 4624
• Give an alarm ： There may be violent attacks on the network .

SIEM Software can detect such violent attacks , notice IT Security administrator , And automatically start the workflow to lock the account and isolate the computer where the event occurs .

EventLog Analyzer Is a log management and analysis tool , Can achieve fast 、 Easily detect cyber threats . This kind of SIEM The solution can identify any IT Log generated by resources and visual analysis . It can be easily extended to any IT The network environment , Resist any internal or external threats .