SIEM – CompTIA Network+ N10-006 – 2.1

A security information and event management console can provide extensive information about the security and performance of your network. In this video, you’ll learn about SIEM functionality and how you can use a SIEM for network management.

<< Previous: Network Monitoring ToolsNext: Environmental Monitoring Tools >>

If you’re managing a relatively large network, you’re probably going to want to use SIEM. A SIEM is a security information and event management. Although it says security in the name, this can also be used to gather a lot of really good network metrics. A SIEM can be used to gather security details like security breaches and login information. It can also be used to aggregate logs from, really, any device. This can be switches and routers and servers and firewalls, and anything else that communicates using syslog back to the SIEM. This can also store these logs over a very long period of time, allowing you to really create some interesting long term reports and queries.

Because the SIEM is collecting data from many different devices, you can really perform some interesting data correlations. You can look at an increase in utilization on a switch, examine some data that may have been coming through the firewall at that time frame, and examine what was happening inside of a server with the processes while that utilization was spiking. You can also go back in time and really perform some forensics, understand when an event occurred, all of the things that led up to that event, and all of the things that occurred while that event was taking place.

A SIEM is able to receive information from all of these different devices using a standard format. The standard format is called syslog. Stands for system log. And it’s one that is used in so many different devices. If you’re configuring a firewall or a server or switch, they all have the capabilities to take their very specific metrics and send them all on a standardized format back to the SIEM using syslog.

The SIEM is generally going to be your data consolidation point. All of the logs are going to be collected by the end devices, packaged up into syslog format, and sent down to the centralized log receiver. So it’s going to be very important that your SIEM have as much hard drive space as possible. There’s never going to be enough. And the more hard drive space you have, the longer you’ll be able to go back in time to examine raw logs, consolidate information, or produce reports.

Here’s an example of some logs that were received by a SIEM. It looks like all of these logs were from a Windows device. They look like they are the security logs. And you can see things like a process has exited. There was a successful network logon. Here’s one that a new process has been created. It gives me the process ID number. I can see that it was CMD.exe that created this particular process. I can see the user name and the events in the logging that was done for every single event that happened on that particular device.

And, of course, we can decide how much or how little to send down to syslog. But the more information we’re able to put into the SIEM’s database, the more details we’ll have in all of our reports.

Instead of looking through log files, you usually will have a dashboard that you can view in the SIEM. It will do the hard part of examining the data as it’s coming through. And it will make a, generally, real-time perspective of things like the events, the logging, the utilization, and the traffic patterns that you see traversing the network.

And, of course, if you wanted to do long-term reports, those are usually available in the SIEM as well. Here’s a security report from the information that came through. And by examining the short-term and long-term views, you can now get a better understanding of exactly what’s happening on your network.