Security information and event management (SIEM)

• Security information and event management

Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event manager).
SIEM technology provides real-time analysis of security alerts generated by network hardware and applications.
SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes
http://en.wikipedia.org/wiki/Security_information_and_event_management

• Security event manager

A security event manager (SEM) is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network


Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols, such as Syslog and SNMP, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated


http://en.wikipedia.org/wiki/Security_event_manager

• Security information management

Security information management (SIM) is the industry-specific term in computer security referring to the collection of data (typically log files; e.g. eventlogs) into a central repository for trend analysis

Most famous editors and solutions in the SIM/SEM Marketplace


    Alcatel-Lucent OA Safeguard
    Araknos Akab2
    BlackStratus Netforensics
    Cisco Cisco Security Manager
    Correlog Correlog Solution Suite
    CS Prelude/Vigilo
    EMC2 RSA Security
    HP ArcSight
    LogLogic Enterprise Virtual Appliance (formerly Exaprotect)
    LogRhythm SIEM 2.0 Security Intelligence
    NetIQ Security Manager
    NitroSecurity McAfee Enterprise Security Manager
    Novell Sentinel
    Q1 Labs Qradar (an IBM Company)
    SenSage Advanced SIEM and Log Management
    Splunk Splunk
    Symantec Security Information Manager
    TrustWave Intellitactics Security Manager for SIEM

http://en.wikipedia.org/wiki/Security_information_management

• OSSIM, the Open Source SIEM

OSSIM is the most widely used SIEM offering, thanks in no small part to the open source community that has promoted its use. OSSIM provides all of the capabilities that a security professional needs from a SIEM offering, event collection, normalization, correlation, and incident response - but it also does far more. Not simply satisfied with integrating data from existing security tools, OSSIM is built on the Unified Security Management platform which provides a common framework for the deployment, configuration, and management of your security tools
http://communities.alienvault.com/

• OSSIM

Open Source Security Information Management (OSSIM) provides a Security Information and Event Management (SIEM) solution. It is a one-stop solution and integrated the open source software’s NTOP, Mrtg, Snort, OpenVAS, and Nmap. OSSIM is a cost-effective solution in the area of monitoring network health and security of network/hosts compared to other propriety products.

OSSIM, AlienVault’s Open Source Security Information and Event Management (SIEM) product, provides you with a feature-rich open source SIEM complete with event collection, normalization, and correlation.
https://www.alienvault.com/products/ossim

• Security Information and Event Management (SIEM) solutions

Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event manager)

SIEM technology provides real-time analysis of security alerts generated by network hardware and applications

http://en.wikipedia.org/wiki/Security_information_and_event_management

• Eyes on Glass: End to End Monitoring

Organizations’ IT Infrastructure will function best when a continuous set of “eyes” are closely analyzing its health and availability; and proactively identifying the issues that keep the business up and running.
What plays a pivotal role in defining an overall IT monitoring strategy is ensuring a healthy data center along with end user experience coverage.
https://www.zensar.com/blogs/2015/12/eyes-on-glass-end-to-end-monitoring/

• Next Generation SOC

The Techniques, Tactics and Procedures – The Cyber Kill Chain
real-time “eyes on glass” monitoring
http://www.itip.ph/uploads/events_files/IBM_SOC.pAp%E0%9C%90%9C%8C%81P%EC%3C%BFi%B3Y9%06a%D2%94%01%FF*Z%E3T%89R425%5B,%0C%C3%B2,%07%BD%8Ae%19%86%B1X%CC&%93%8C)%1F%CE%D7%9C%18%14%8B%EA%F4z%03F%A5i%23%CE%04%AD%25%B3%D04EQ%06%05S%5Bs)%8AH%91)B%D5cW%25

• WHAT IS A MSSP (MANAGED SECURITY SERVICES PROVIDER?

A managed security service provider (MSSP) is an IT service provider that provides an organization with information security, cybersecurity monitoring and management, which may include policy development, security operation center, compliance services, incident response service, Virtual CISO, risk management program, vulnerability testing, penetration testing, security training and awareness, virus and spam blocking, intrusion detection, firewalls and virtual private network (VPN) management

MSSP technology offerings may include deploying, configuring, and/or managing the following technologies:

Intrusion prevention systems (IPS)
Web content filtering
Anti-virus (AV),
Anti-spam
Firewalls (UTMs, NGFWs, etc.)
VPN
Vulnerability scanning
Patch management
Data loss prevention (DLP)
Threat intelligence
Identity access management (IAM)
Privileged access management (PAM)

MSSP services may include:

Risk assessments and gap analysis
Policy development and risk management
Solution scoping
Solution/tool research and requisition
Solution implementation
Management of security systems
Configuration management
Security updates
Reporting, auditing, and compliance
Training and education

“Traditionally, MSSPs have been overwhelmingly focused on the perimeter,” assesses Keve. “And, while MSSP offerings are evolving, even today, few MSSP’s tackle IAM.
Another differentiation between MSPs versus MSSPs is NOCs versus SOCs. MSPs frequently establish their own network operation center (NOC) from which they monitor and administrate over customer operations, MSSPs on the other hand typically establish a security operations center (SOC), which is responsible for protecting the infrastructure (networks, applications, databases, servers, etc.).


https://cybersecop.com/news/2018/10/4/what-is-an-mssp-managed-security-services-provider

• Managed Security Services (MSS) and Eyes on Glass in the Real World

“Eyes on Glass” is a common saying when it comes to reviewing SIEM logs and managed services but is often misunderstood.
Technically “eyes on glass” requires a high degree of skill and capabilities to interact directly with unique client technologies, something not commonly included with managed services.

SIEM vs. MSSP
A Security Information and Event Management (SIEM) solution is designed to collect log data and provide real-time analysis towards alerting of events that require security management (e.g. virus infection or brute force attack attempt). A Managed Security Service Provider (MSSP) provides security monitoring and management which may include review, research, and response to alerts and data collected from a SIEM.
The MSSP does not actually have access to the “eyes on glass” endpoint product at this point, just the alert or log data that is sent to them from the client endpoint product and SIEM.
Scale and Efficiency
True “eyes on glass” is not a scalable service
It is far more efficient to configure logs to submit as much data as possible than have an employee or service provider perform “eyes on glass” investigations on one or more devices or software services used within an organization.

“Eyes on Glass” is sometimes required to dive deeper into a threat as one researches and responds to an incident. For daily operations the most cost-effective monitoring solution is to properly configure and tune detailed alerts sent to a SIEM and MSSP solution enabling research and response.
https://www.optiv.com/blog/managed-security-services-mss-and-eyes-glass-real-world

• What is Managed Detection and Response? Definition, Benefits, How to Choose a Vendor, and More

Managed detection and response is a service that arose from the need for organizations, who lack the resources, to be more cognizant of risks and improve their ability to detect and respond to threats.

MDR is more focused on threat detection, rather than compliance.
The services are delivered using the provider's own set of tools and technologies,
Managed detection and response relies heavily on security event management and advanced analytics.

Managed Detection and Response vs. Managed Security Services
    Coverage. Managed security services can work with different types of event logs and contexts. The customer decides which of their security data is sent to the MSSP. With managed detection and response services, they only work with event logs that their own tools provide.
    Compliance reporting. If you need compliance reporting, go for a managed security service, as managed detection and response services rarely do compliance reports.
    The human touch. One of the upsides of managed detection and response offerings is that you get more human interaction with analysts. Managed security services rely on portals and e-mail rather than direct communication.
    Incident response. With managed detection and response, you only need a separate retainer if you want on-site incident response. Remote incident response is usually included in what you pay for the basic service. This is not true for many managed security services, where you need separate retainers for both onsite and remote incident response.

https://digitalguardian.com/blog/what-managed-detection-and-response-definition-benefits-how-choose-vendor-and-more

• Managed Detection and Response

managed service detects and responds to threats with complete root-cause and kill chain visibility to deliver more effective security.
https://www.ibm.com/security/services/managed-detection-response

• Managed Detection and Response

Managed detection and response (MDR) is an outsourced service that provides organizations with threat hunting services and responds to threats once they are discovered. It also involves a human element: Security providers provide their MDR customers access to their pool of security researchers and engineers, who are responsible for monitoring networks, analyzing incidents, and responding to security cases.

What challenges can MDR address?
While training and setting up dedicated security teams that can do full-time threat hunting may be feasible for larger organizations that can afford it, most companies will find it a difficult proposition given their resource limitations.

MDR integrates EDR tools in its security implementation, making them an integral part of the detection, analysis, and response roles.
Many of these alerts cannot be readily identified as malicious, and have to be checked on an individual basis. In addition, security teams need to correlate these threats, since correlation can reveal whether seemingly insignificant indicators all add up as part of a larger attack. This can overwhelm smaller security teams, and take away precious time and resources from their other tasks.

MDR aims to address this problem not only by detecting threats but also by analyzing all the factors and indicators involved in an alert.
One of the most important skills that security professionals need is the ability to contextualize and analyze indicators of compromise in order to better position the company against future attacks. Security technologies may have the ability to block threats, but digging deeper into the hows, whys, and whats of incidents requires a human touch.

MDR is designed to solve the problem of an organization’s cybersecurity skills gap. It tackles the issue of more advanced threats that an in-house IT team cannot completely address, ideally at a cost that is less than what the company will need to spend to build its own specialized security team. MDR can also offer the organization access to tools that it may not normally have access to

How do MDR providers compare with MSSPs?
In contrast with MDR providers, which can detect lateral movement within a network, MSSPs typically work with perimeter-based technology as well as rule-based detections to identify threats. Also, the kinds of threats that MSSPs deal with are known threats, such as vulnerability exploits, reoccurring malware, and high-volume attacks.
MSSPs have security professionals who perform log management, monitoring, and analysis, but often not at a very in-depth level.
In essence, MSSPs are able to manage an organization’s security but typically only at the perimeter level, and their analysis does not involve extensive forensics, threat research, and analytics.

In terms of service, MSSPs usually communicate via email or phone, with security professionals as a secondary access, while MDR providers carry out 24/7 continuous monitoring, which may not be offered by some MSSPs.
However, MSSPs still provide value to organizations. For example, managing firewalls and other day-to-day security needs of an organization’s network is a task that is more apt for an MSSP than an MDR provider, which offers a more specialized service.
Accordingly, MSSPs and MDR providers can work in conjunction with each other — with MDR providers focusing on the proactive detection and behavioral analysis of more advanced threats and giving remediation recommendations for organizations once the threats are discovered.

How does Trend Micro’s MDR work?
Trend Micro’s MDR provides a wide array of security services, including alert monitoring, alert prioritization, investigation, and threat hunting. It uses artificial intelligence models and applies them to endpoint, network, and server data in order to correlate and prioritize advanced threats. By investigating prioritized alerts, Trend Micro threat researchers can then work with organizations to provide a detailed remediation plan.

https://www.trendmicro.com/vinfo/us/security/definition/managed-detection-and-response

• What is Real User Monitoring? How It Works, Examples, Best Practices, and More

Real User Monitoring is a type of performance monitoring that captures and analyzes each transaction by users of a website or application. It’s also known as real user measurement, real user metrics, end-user experience monitoring, or simply RUM.
It’s used to gauge user experience, including key metrics like load time and transaction paths, and it’s an important component of application performance management (APM).

Real User Monitoring vs. Synthetic Monitoring
Real User Monitoring is a form of passive web monitoring.We say “passive” because it relies on services that constantly observe the system in the background, tracking availability, functionality, and responsiveness

By contrast, Synthetic Monitoring is active web monitoring. In synthetic monitoring, behavioral scripts are deployed in a browser to simulate the path an end-user takes through a website. In addition, this active monitoring permits webmasters to test the application before launch. That makes it an essential tool for sites with a high volume of traffic. Unlike synthetic monitoring, RUM never rests.

Examples of RUM
Constant monitoring of a blog in the background to see when and where page load times increase
An end-user portal like a bank software system may use it to spot intermittent issues, like login failures that only occur under specific, rare conditions.
An app developer may use it to highlight failures in different platforms that don’t show up during pre-deployment testing.

Benefits of RUM
    Measure service level targets easily. It offers real-world measurement of key targets by tracking actual visits and delivering top-level data on actual use cases.
    Easily identify problems and better prioritize issues. It can replay user sessions and track transaction paths to surface hidden problems.
    Determine hitches at the network and page level. Problems at the lower levels of a website can hide like needles in a haystack. It can spotlight these problems even when they’re intermittent in nature or based on rare conditions.

Best Practices for RUM
Assess the Current Speed of the Website. F
Improve Mobile Testing Strategy.
Relate Performance to the Business.
https://stackify.com/what-is-real-user-monitoring/

• SIEM Analyzes security alerts in real-time

SIEMs do three things:

One: Collect, normalize, and store log events and alerts from the organization’s network and

security devices, servers, databases, applications, and endpoints in a secure, central location

Investigators had determined that logging in to every system to

check for relevant log events was increasingly impossible. Also, if your logs were not secure,

you had no guarantee that an attacker hadn’t just deleted the entries to hide their activities

Two: Run advanced analytics on the data, both in real-time and across historical data, to

Identify potential security incidents that should be investigated by a human

The potential

incidents are prioritized by risk, severity, and impact.

these security analytics have

grown from employing Simple cross-correlation rules to monitoring for User-behavioral

anomalies, watching for known Indicators of Compromise IoC, and applying sophisticated

Machine learning models

Three: Prove that all of the security controls under the purview of the SIEM are in place and

effective

SIEM has evolved from an information platform, to a threat

intelligence center, to a fully integrated and automated center for security and network

operations. 

https://training.fortinet.com/pluginfile.php/1625608/mod_scorm/content/1/story_content/external_files/NSE%202%20SIEM%20Script_EN.pdf