Case Study 4 Technology and Product Reviews for a SIEM Solution
An introduction or overview of the security technology category (SIEM).
In the field of computer security, SIEM entails software products that combine Security Event Management (SEM), which analyzes the event and log data and Security Information Management (SIM) which collects, reports and analyzes log data (Pratt, 2017). SIEM application investigates security alerts in real-time, which can be generated by network hardware and applications. SIEM can be implemented as managed services, appliances, or software; vendors sell them in three forms. SIEM products can generate data for compliance and log security data. SIEM technology has existed for over a decade and evolved from the discipline of log management.
Do you seek an unpublished “Technology and Product Reviews for a SIEM Solution” version? Contact us.
SIEM software collects log data that the technology infrastructure of an organization generates. The log can come from applications, networks, host systems, and security devices such as firewalls. The SIEM software identifies, categorizes, and analyses the logs. The two primary objectives of SIEM are the following:
- It provides reports on the incidents and events that are security-related, for instance, login attempts, possible malicious activity, and malware activities (Pratt, 2017).
- Sending alerts if the data analysis shows that an activity is violating the predetermined policies and rulesets indicates a security issue that can potentially cause damage.
Most of the early adoption of SIEM technology resulted from compliance requirements that drove organizations to have it. SIEM provides the reporting and monitoring auditors need when determining whether an organization complies with mandates such as PCI DDS, SOX, and HIPPA (Pratt, 2017). Some experts also say that in recent years, the demand for better measures of security has increased the enterprise demand for SIEM demand in the market
A review of the features, capabilities, and deficiencies of your selected vendor and product
Splunk Features, Capabilities and Deficiencies
Splunk allows fast search across multiple sources and efficiently stores large data volumes in Terabytes. Creation of correlation searches, reports, dashboards and reports is relatively easy when using this application. There is a feature called Splunkbase that helps it get started quickly. The continuous development of this product makes new features and tools available multiple times a year (“Gartner peer insights,” 2017). Slunk has a large community, such as Conf and Splunk Answers, which offer significant resources for learning and building advanced use cases. The application has a search IDE, making it easy to build complex searches. Splunk has cloud services that create ease of onboarding data. The app also has easy integration with other tools like ServiceNow.
The application requires many restarts to make specific changes; reducing the number of reboots required after a change is made would be better. The graphical user interface is traditional to some extent. The developers should work towards making the GUI modern and flexible (“Gartner peer insights,” 2017). They should implement some of the BI-type solutions when it comes to visualizations, free text markups, and dashboard layouts.
Users can obtain a token for remote authentication to carry out bundle replication and peer management. The application also allows users to get information from the endpoints of the services. A user can run parallel reduced search processing in environments that are distributed. The application can prevent the expiry of passwords for users with a specific role even when the lockout feature is enabled (Splunk, 2017). Also, when the lockout feature has been enabled, account lockouts can be turned off even after multiple incorrect attempts for members of a specific role. The application has numerous other capabilities.
Discussion of how your client could use the selected product to support its cybersecurity objectives by reducing risk, increasing resistance to threats/attacks, decreasing vulnerabilities, etc
Splunk software is created for businesses’ agility and is highly scalable and capable of collecting and analyzing massive amounts of data for regulatory compliance and in-depth security analysis.
Installing and maintaining firewall configuration for data protection
All the logs can be grabbed from the internal and external firewalls and centrally stored in Splunk. From here, Splunk can monitor traffic patterns to and from the internal network to other networks and systems that are considered untrusted (Splunk, 2012). It will report and track any changes in the firewall and rules to ensure the integrity of the firewalls. Splunk also helps in the management of passwords to prevent the use of vendor-supplied defaults. The application can monitor configuration changes and passwords and encrypt the network traffic.
Protect stored data
Splunk monitors and reports all the electronic steps in the life cycle of data. It can, therefore, help in protecting the data at rest. It manages all the data lifecycle processes from the initial storage to disposal (Splunk, 2012). Splunk helps manage the generation of encryption keys and access to them; additionally, it monitors their life cycle.
Encryption of transmitted data across public networks
Splunk can be used to verify the teardown and building of IPSec transmission. It determines the messages that can be trusted and those with legitimate certificates, ensuring that the credentials are not self-signed (Splunk, 2012).
Use of and regular update of anti-virus software
Splunk offers a capability for monitoring malware activities, the statistics of anti-malware agent deployments and the signature versions of malware. The information can be used to check if the anti-malware systems that have been installed can identify real-time threats and report them same. Splunk helps in getting visibility into the network-based activities and those that host-based. It can be for abnormal movements by comparing the hose that is credited as usual (Splunk, 2012). This helps in detecting sophisticated modern threats. Splunk models behaviour through the risk scenarios and the threshold of an IT environment to get threats that are not known.
Developing and Maintenance of applications and secure systems
Splunk can help on multiple fronts. It easily handles the trending of patches by accessing all the data about vulnerabilities and monitoring the metrics of the patches. If any falls short, it prompts an immediate update. It helps prioritise hosts by using the CVSS score as the basis. Vulnerabilities considered high risk are those with a CVSS score of 4.0 or higher.
Additionally, Splunk can monitor the server reboots to ensure that the initialization of any server patches is operational. Separation of duties is easily enabled in Splunk to ensure that the systems’ owners can troubleshoot without needing to log into them (Splunk, 2012). Another necessary functionality of Splunk is managing the change control process to ensure that the changes performed do not significantly impact the organization.
Restricting access to data
Splunk can monitor and report all access attempts to hosts and applications in an information system of an organization. The software can take a complete picture of the access records and the users when accessing data, the time, the system accessed, and the one used to access the system (Splunk, 2012). Using this data as a baseline, Splunk can track the access data and watch for abnormal behaviours or those that should be looked into.
A closing section in which you restate your recommendation for a product (include the three most important benefits).
The strategic deployment of Splunk in any organization can afford them significant advantages over alternative deployment models. The security experts team can get the most out of Splunk by using it as the SIEM tool. External log sources can be used to gain real-time insight regarding the data amounts the most critical business applications generate. At the same time, it will offer a consolidated all-in-one storage solution that can enhance performance. This tool enables business organizations to ensure better security in an organization’s IT infrastructure. It can help to detect zero-day attacks because it tracks the behaviours and can alert in case of abnormal activities which may be malicious. Splunk can accelerate performance and fortify security while at the same time enabling a sustainable scale that is unmatched.
Other Related Post: Credit Risk
Pratt, M.K. (2017). What is SIEM software? How it works, and how to choose the right tool. Retrieved from https://www.csoonline.com/article/2124604/network-security/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html
Gartner peer insights. (2017). Splunk is where your security and operation monitoring dreams become a reality. Retrieved from https://www.gartner.com/reviews/review/view/253429
Splunk. (2017). Securing Splunk Enterprise. About defining roles with capabilities. Retrieved from https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities
Splunk. (2012). Guide for Mapping Splunk® Enterprise™ to PCI Requirements. Retrieved from https://informationsecurity.report/Resources/Whitepapers/b30a81ad-3b87-41e8-804e-5358be3ca933_Guide%20to%20Mapping%20Splunk%20Enterprise%20to%20PCI%20Requirements.pdf
We’ll write everything from scratch
Case Study #4: Technology & Product Review for an SIEM Solution
Security Operations Control Centers (SOCC) are necessary for large businesses and government agencies. But, for a small to medium-sized business such as Sifers-Grayson, the expense of setting up and operating a SOCC may outweigh the benefits. Instead of a full SOCC, smaller companies may invest in enterprise monitoring technology such as a Security Information and Event Management (SIEM) tool. Such tools can monitor the enterprise, collect information, and report on security events (generate alerts and alarms). Your task for this case study is to identify, assess, and recommend a SIEM tool appropriate for Sifers-Grayson, which could be used to support the activities of a SOCC should Sifers-Grayson decide to establish this organization as a separate operating unit.
- Review the weekly readings.
- Choose one of the SIEM products from the Gartner Magic Quadrant analyses.
https://www.scmagazine.com/siem/products/6554/0/ (SIEM Reviews)
- Research your chosen product using the vendor’s website and product information brochures. (Vendors for highly rated products will provide a copy of Gartner’s most recent Magic Quadrant report on their websites, but registration is required.)
- Find three or more additional sources which provide reviews for (a) your chosen product or (b) general information about SIEM technologies and solutions.
Write a 3-page summary of your research. At a minimum, your resume must include the following:
- An introduction or overview of the security technology category (SIEM).
- A review of the features, capabilities, and deficiencies of your selected vendor and product
- Discuss how your client could use the selected product to support its cybersecurity objectives by reducing risk, increasing resistance to threats/attacks, decreasing vulnerabilities, etc.
- A closing section in which you restate your recommendation for a product (include the three most important benefits).
As you write your review, make sure that you address security issues using standard cybersecurity terminology (e.g. protection, detection, prevention, “governance,” confidentiality, integrity, availability, nonrepudiation, assurance, etc.). See the ISACA glossary https://www.isaca.org/pages/glossary.aspx if you need a refresher on acceptable terms and definitions.
As you write your review, make sure that you address security issues using standard cybersecurity terminology (e.g. 5 Pillars IA, 5 Pillars Information Security). See the resources listed under Course Resources > Cybersecurity Concepts Review for definitions and terminology.
Use standard APA formatting for the MS Word document you submit to your assignment folder. Formatting requirements and examples are found under Course Resources > APA Resources.
Submit For Grading
Submit your paper in MS Word format (.docx or .doc file) using the Case Study #4:SIEM Technology & Product Review assignment in your assignment folder. (Attach the file.)
- There is no penalty for writing more than three pages, but clarity and conciseness are valued. If your essay is shorter than three pages, you may not have sufficient content to meet the assignment requirements (see the rubric).
- You are expected to write grammatically correct English in every assignment you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct, and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
- You must credit your sources using in-text citations and reference list entries. Your authorities and reference list entries must comply with APA 6th edition Style requirements. Failure to credit your sources will result in penalties as provided for under the university’s Academic Integrity policy.