Describe the SIEM process
Give one example all the way through
For example, start with an email, the log file collected by Outlook Exchange server
Assessment
Report
SIEM process:
• collects log and event data
• combines information from different sources into a centralised platform (for example, anti-virus and firewall)
• analyses and categorises the data
• identifies threats and generates alerts
• defines threat levels
Level 1 - Low Threat
Level 2 - Moderate
Level 3 - High
Level 4 - Critical Threat
The Security Information and Event Management (SIEM) process is a bit like setting up a really advanced security system for a house. Instead of just a simple door alarm, imagine you have cameras, motion sensors, and a 24/7 security team that checks all the data. Here's how the SIEM process works, broken down into easy-to-understand steps:
What Happens: SIEM gathers data from a bunch of different places like computers, network devices, and applications.
Think of It Like: Installing cameras and motion sensors all over your house to keep an eye on things.
What Happens: All the gathered data is different, so SIEM makes it all "speak the same language." This way, it's easier to understand and analyze.
Think of It Like: If your cameras recorded video in different formats, you'd convert them all to one common format to make it easier to watch.
What Happens: The normalized data is stored so it can be analyzed later if needed.
Think of It Like: Saving all the recorded video and sensor data on a big hard drive so you can go back and look at it later.
What Happens: SIEM constantly scans the data as it comes in to catch any weird or suspicious activity.
Think of It Like: Having a security team that watches the live feed from your cameras to catch any intruders as they try to break in.
What Happens: SIEM links related records and identifies patterns that might indicate a security issue.
Think of It Like: If the front door and a window are both forced open, the security team would connect the dots and realize it's probably a break-in.
What Happens: If SIEM finds something suspicious, it sends out an alert.
Think of It Like: The security team sounding an alarm or calling you when they see something strange happening.
What Happens: SIEM provides dashboards and reports that summarize what's going on. This is helpful for both real-time monitoring and looking back at past events.
Think of It Like: You have an app on your phone that shows you a quick summary of all your security data and any alerts.
What Happens: If something bad does happen, you can use the stored data for a deep dive to figure out exactly what went wrong.
Think of It Like: If there was a break-in, you could review all the video and sensor data to figure out how it happened.
What Happens: Based on the analysis and alerts, actions are taken to deal with any security issues. This could be blocking an IP address or changing security settings.
Think of It Like: If you catch an intruder, you'd call the police and maybe also add extra locks or security measures.
By going through all these steps, SIEM helps make sure that a network is as secure as possible, spotting and dealing with any issues before they can turn into big problems.
Malware Analysis