We tend to use a lot of stand-alone systems for the analysis of not-so-easy-to-understand processes, but having a thorough log analysis and the big picture of what the systems do altogether is of great importance.
Let’s talk about SECURITY INFORMATION & EVENT MANAGEMENT or SIEM for short. Such systems are used to collect and analyze information from a maximum number of sources of information – such as DLP system, IPS, routers, firewalls, user workstations, servers and so on. Practical examples of threats that can only be identified correctly by SIEM:
- APT attacks – relevant for companies holding valuable information. SIEM – perhaps the only way to detect the beginning of such an attack (research infrastructure, attackers will generate traffic at different ends that allow you to see this activity by the security event correlation systems SIEM)
- Detection of various anomalies in the network and on the individual nodes, the analysis of which is unattainable for other systems
- Response to emergency situations, rapid changes in user behavior