Case Study 4 Technology and Product Review for an SIEM Solution
An introduction or overview for the security technology category (SIEM).
In the field of computer security, SIEM entails software products that combine Security Event Management (SEM), which analyzes the event and log data and Security Information Management (SIM) which collects, reports and analyzes log data (Pratt, 2017). SIEM application investigates security alerts in real-time, which can be generated by network hardware and applications. SIEM can be implemented as managed services, appliances or software and vendors sell them in any of the three forms. SIEM products can generate data for the purposes of compliance and log security data. SIEM technology has existed for over a decade and evolved from the discipline of log management.
SIEM software collects log data that the technology infrastructure of an organization generates. The log can come from applications, networks, host systems, and security devices such as firewalls. The logs are then identified, categorized, and analyzed by the SIEM software. The two primary objectives of SIEM are the following:
- Providing reports on the incidents and events that are security-related, for instance, login attempts, possible malicious activity, and malware activities (Pratt, 2017).
- Sending alerts in case the data analysis shows that an activity is violating the predetermined policies and rulesets indicates a security issue that can potentially cause damage.
Most of the early adoption of SIEM technology resulted from compliance requirements that drove organizations to have it. SIEM provided the reporting and monitoring that auditors needed when determining whether an organization was compliant with mandates such as PCI DDS, SOX, and HIPPA (Pratt, 2017). Some experts also say that in recent years, the demand for better measures of security has increased the enterprise demand for SIEM demand in the market
A review of the features, capabilities, and deficiencies for your selected vendor and product
Splunk Features, Capabilities and Deficiencies
Splunk allows fast search across multiple sources and is efficient in storing large data volumes in Terabytes. Creation of correlation searches, reports, dashboards and reports is relatively easy when using this application. There is a feature called Splunkbase that helps it get started quickly. The continuous development of this product makes new features and tools available multiple times a year (“Gartner peer insights,” 2017). Slunk has a large community, such as Conf and Splunk Answers, which offer significant resources for learning and building advanced use cases. The application has a search IDE, making it easy to build complex searches. Splunk has cloud services that create ease of onboarding data. The app also has easy integration with other tools like ServiceNow.
The application requires many restarts to make specific changes; reducing the number of reboots required after a change is made would be better. The graphical user interface is traditional to some extent. The developers should work towards making the GUI modern and flexible (“Gartner peer insights,” 2017). They should implement some of the BI-type solutions when it comes to visualizations, free text markups, and dashboard layouts.
Users can obtain a token for remote authentication to enable them to carry out bundle replication and peer management. The application also allows users to get information from the endpoints of the services. A user is able to run parallel reduced search processing in environments that are distributed. The application can prevent the expiry of passwords for users with a specific role even when the lockout feature is enabled (Splunk, 2017). Also, when the lockout feature has been enabled, account lockouts can be disabled even after multiple incorrect attempts for members of a specific role. The application has numerous other capabilities.
Discussion of how the selected product could be used by your client to support its cybersecurity objectives by reducing risk, increasing resistance to threats/attacks, decreasing vulnerabilities, etc
Splunk software is created for businesses’ agility and is highly scalable and capable of collecting and analyzing massive amounts of data for regulatory compliance and in-depth security analysis.
Installing and maintaining firewall configuration for data protection
All the logs can be grabbed from the internal and external firewalls and centrally stored in Splunk. From here, Splunk can monitor traffic patterns to and from the internal network to other networks and systems that are considered untrusted (Splunk, 2012). It will report and track any changes in the firewall and rules to ensure the integrity of the firewalls. Splunk also helps in the management of passwords to prevent the use of vendor-supplied defaults. The application can monitor configuration changes, monitor passwords, and encrypt the network traffic.
Protect stored data
Splunk monitors and reports all the electronic steps in the life cycle of data. It can, therefore, help in protecting the data at rest. It manages all the data lifecycle processes from the initial storage to disposal (Splunk, 2012). Splunk helps manage the generation of encryption keys and access to them; additionally, it monitors their life cycle.
Encryption of transmitted data across public networks
Splunk can be used to verify the teardown and building of IPSec transmission. It determines the transmissions that can be trusted, those with legitimate certificates and ensures that the certificates are not self-signed (Splunk, 2012).
Use of and regular update of anti-virus software
Splunk offers a capability for monitoring the activities of the malware, the statistics of anti-malware agent deployments and the signature versions of malware. The information can be used to check if the anti-malware systems that have been installed can identify real-time threats and report the same. Splunk helps in getting visibility into the activities that are network-based and those that host-based. It is able to monitor for activities that are abnormal by making a comparison with those that are credited as normal (Splunk, 2012). This helps in detecting modern threats that are sophisticated. Splunk models behavior through the risk scenarios and the threshold of an IT environment to get threats that are not known.
Developing and Maintenance of applications and secure systems
Splunk can help on multiple fronts. It easily handles the trending of patches by having access to all the data about vulnerabilities and monitoring the metrics of the patches. If any falls short, it prompts an immediate update. It helps in the prioritization of hosts by using the CVSS score as the basis. Vulnerabilities considered high risk are those with a CVSS score of 4.0 or higher. Additionally, Splunk can monitor the reboots on the servers to ensure that the initialization of any patches in the servers is operational. Separation of duties is easily enabled in Splunk to ensure that the systems’ owners can troubleshoot without needing to log into them (Splunk, 2012). Another important functionality of Splunk is managing the change control process to ensure that the changes performed do not have a significant impact on the organization.
Restricting access to data
Splunk can monitor and report all access attempts to hosts and applications in an information system of an organization. The software is able to take a complete picture of the access records and the users when accessing data, the time, the system that is accessed and the one used to access the system (Splunk, 2012). Using this data as a baseline, Splunk can track the access data and watch for abnormal behaviors or those that should be looked into.
A closing section in which you restate your recommendation for a product (include the three most important benefits).
The strategic deployment of Splunk in any organization can afford them significant advantages over alternative deployment models. The security experts team can get the most out of Splunk by using it as the SIEM tool. External log sources can be used to gain insight in real time regarding the data amounts that the most critical business applications generate. At the same time, it will offer a consolidated all-in-one storage solution that can enhance performance. This tool enables business organizations to ensure better security in an organization’s IT infrastructure. It can help to detect zero-day attacks because it tracks the behaviors and can alert in case of abnormal activities which may be malicious. Splunk can accelerate performance and fortify security while at the same time enabling a sustainable scale that is unmatched.
Pratt, M.K. (2017). What is SIEM software? How it works and how to choose the right tool. Retrieved from https://www.csoonline.com/article/2124604/network-security/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html
Gartner peer insights. (2017). Splunk is where your security and operation monitoring dreams become reality. Retrieved from https://www.gartner.com/reviews/review/view/253429
Splunk. (2017). Securing Splunk Enterprise. About defining roles with capabilities. Retrieved from https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities
Splunk. (2012). Guide for Mapping Splunk® Enterprise™ to PCI Requirements. Retrieved from https://informationsecurity.report/Resources/Whitepapers/b30a81ad-3b87-41e8-804e-5358be3ca933_Guide%20to%20Mapping%20Splunk%20Enterprise%20to%20PCI%20Requirements.pdf
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Case Study #4: Technology & Product Review for an SIEM Solution
Security Operations Control Centers (SOCC) are a necessity for large businesses and government agencies. But, for a small to medium sized business such as Sifers-Grayson, the expense of setting up and operating a SOCC may outweigh the benefits. Instead of a full SOCC, smaller companies may decide to invest in an enterprise monitoring technology such as a Security Information and Event Management (SIEM) tool. Such tools can be used by to monitor the enterprise, collect information, and report upon security events (generate alerts and alarms). Your task for this case study is to identify, assess, and recommend an SIEM tool which is appropriate for Sifers-Grayson and which could be used to support the activities of a SOCC should Sifers-Grayson decide to establish this organization as a separate operating unit.
- Review the weekly readings.
- Choose one of the SIEM products from the Gartner Magic Quadrant analyses.
https://www.scmagazine.com/siem/products/6554/0/ (SIEM Reviews)
- Research your chosen product using the vendor’s website and product information brochures. (Vendors for highly rated products will provide a copy of Gartner’s most recent Magic Quadrant report on their websites but, registration is required.)
- Find three or more additional sources which provide reviews for (a) your chosen product or (b) general information about SIEM technologies and solutions.
Write a 3 page summary of your research. At a minimum, your summary must include the following:
- An introduction or overview for the security technology category (SIEM).
- A review of the features, capabilities, and deficiencies for your selected vendor and product
- Discussion of how the selected product could be used by your client to support its cybersecurity objectives by reducing risk, increasing resistance to threats/attacks, decreasing vulnerabilities, etc.
- A closing section in which you restate your recommendation for a product (include the three most important benefits).
As you write your review, make sure that you address security issues using standard cybersecurity terminology (e.g. protection, detection, prevention, “governance,” confidentiality, integrity, availability, nonrepudiation, assurance, etc.). See the ISACA glossary https://www.isaca.org/pages/glossary.aspx if you need a refresher on acceptable terms and definitions.
As you write your review, make sure that you address security issues using standard cybersecurity terminology (e.g. 5 Pillars IA, 5 Pillars Information Security). See the resources listed under Course Resources > Cybersecurity Concepts Review for definitions and terminology.
Use standard APA formatting for the MS Word document that you submit to your assignment folder. Formatting requirements and examples are found under Course Resources > APA Resources.
Submit For Grading
Submit your paper in MS Word format (.docx or .doc file) using the Case Study #4:SIEM Technology & Product Review assignment in your assignment folder. (Attach the file.)
- There is no penalty for writing more than 3 pages but, clarity and conciseness are valued. If your essay is shorter than 3 pages, you may not have sufficient content to meet the assignment requirements (see the rubric).
- You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
- You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must comply with APA 6th edition Style requirements. Failure to credit your sources will result in penalties as provided for under the university’s Academic Integrity policy.
Have a similar assignment? "Place an order for your assignment and have exceptional work written by our team of experts, guaranteeing you A results."