什么是安全信息和事件管理(SIEM)? -目的及福利

侨福管理CQ9电子


约翰Parlee 发布日期:2023年8月1日

Security Information and Event Management (SIEM) is a suite of tools that security teams use to identify threats and anomalous activities. 它们是多功能工具,可以用于其他目的, 然而, the primary users tend to be the security teams who are doing day-to-day monitoring, 威胁狩猎, 和分析. SIEM已经存在很长时间了, these tools have evolved significantly to meet the needs of modern security teams.

什么是SIEM?

SIEM代表安全信息和事件管理, 哪一组工具和CQ9电子用于查看事件数据和信息, 并有助于相互关联, 优先考虑, 然后把它拿给分析师看. SIEM为安全操作团队提供了检测的能力, 分析, 应对安全威胁. 该工具从各种来源收集数据, 然后 aggregates and structures this data – which helps security teams to 分析 it. This data provides an understanding of what is happening across a huge data set that includes network, 应用程序, CQ9电子器, 端点, 和其他来源,然后创建相应的警报.

SIEM makes it manageable to process large amounts of data that an analyst wouldn’t otherwise be able to do manually. The analyst can look at point-in-time events and 然后 pivot into larger or smaller datasets as needed.

It’s true that organizations require a security team to respond to these threats, but SIEM helps identify and address the threats before they impact an organization.

使用哪种SIEM?

在选择SIEM供应商时,需要考虑以下几点:

1. 偏好/曝光

许多安全团队找到了他们喜欢的解决方案, 他们投入时间和金钱来学习和操作这项技术. 例如, 一些供应商有自己的会议, 查询语言, 体系结构集, 学习/职业道路. 安全专家可能从分析师开始, 然后, 当他们晋升到更高的职位时, they may develop the experience and knowledge needed to manage the SIEM architecture, 组件, 和能力.

Learning a specific SIEM 查询语言 is a lot like learning a programming or database language. 许多SIEM供应商都有自己的这种语言版本, 还有搜索, 警报, 所开发的查询成为SIEM的集成部分. 学习一门特定的语言是一种投资. 虽然有些技能是可转移的, 请记住,当团队熟悉一种SIEM查询语言时, 它可以使过渡到另一个挑战.

2. 能力

SIEM has evolved from a consumption platform that can provide 报警 和分析 to a powerful platform that can do orchestration, 自动化, 和响应. It gives analysts capabilities that can automate some of the most time-consuming jobs, such as providing immediate data enrichment and context needed for decision-making.

在时间紧迫的情况下, SIEM can provide immediate response capabilities that can stop a threat and hinder attacker activities. 例如, SIEM integrations can automatically take action on a firewall to block an IP address exhibiting malicious activity. Using these capabilities, SIEM can be much faster than having a human-in-the-loop. 然而, 这种自动化带来了合法的风险, 或者错误分类的活动也可能被屏蔽. 话虽如此, 功能应该由安全团队进行审查, as they consider the value that SIEM will bring as it is operationalized and optimized over time.

The capability to integrate with other tools is also important to support 自动化. Security teams should consider what tools they have and what use cases they are interested in developing.

3. 成本

在投资SIEM套件时,成本是需要考虑的一个重要方面. 一旦进行了初始投资,组织就开始了一段重要的旅程. 他们正在购买SIEM的架构和功能. It is not uncommon to see job descriptions that ask for specific skills for a particular SIEM.

Consider that data management is a large component of what the cost will be over time. It is important to plan for the amount of data that will be ingested and how it will be managed to meet organization retention goals. Many SIEMs have a pricing model that is based on the amount of data that is ingested daily, 以及随着时间的推移保留了多少数据. SIEM摄取的信息越多,组织的成本就越高. 考虑如何以及在何处存储数据也很重要. 如果您正在使用基于云的SIEM, 与管理自己的存储相比,您可能会产生一些额外的成本.

SIEM的演变

随着时间的推移,SIEM发生了重大变化, 最初满足日志存储的遵从性义务, 然后进化到增强搜索, 报警, 和分析. 随着时间的推移,SIEM的功能得到了极大的增强. This had led to capabilities that include orchestration, 自动化, 和响应 (SOAR). SOAR has helped security teams enrich their events with internal and external data sources, 自动审查警报, 并通过采取综合解决方案来应对.

现在的挑战是如何实现自动化和响应, 同时在没有人为干预的情况下始终如一地达到预期的结果. The human analyst develops important context with time and exposure; it’s important to consider the impact of 自动化 where an analyst is not exposed to the information from an event to build context and awareness for a potentially related event.

SIEM的下一次进化:人工智能

人工智能和大型语言模型的使用似乎很适合SIEM. With the proper context, AI can facilitate the job of the security analyst or detection engineer. 通过简单地指定分析师或工程师需要AI做什么, 人工智能 could generate complex queries that are well formatted and documented – tasks that typically require humans to invest additional time and effort.

人工智能将在训练中发挥作用. 它可以为分析师提供指导性学习模型, 以及供安全团队遵循的结构化剧本. 可能更适合有经验的从业者的任务, such as guided 威胁狩猎 and incident response could be generally automated while being monitored by a junior operator. 在确定了威胁之后, an analyst could ask for all the existing attack paths to help 优先考虑 the remediation efforts.

人工智能还可以促进数据管理. 有些数据集可能没有通用的字段名, 人工智能可以促进与表格无关的搜索, further simplifying some of the common tasks that security teams must perform to be able to fully query their datasets and receive complete information.

此外, security leaders will be able to utilize these same techniques to review the performance of the SIEM, 人工智能, 还有安保团队. 事件发生后, 人工智能可以审查这些活动, 环境中的弱点, the security configurations to present a list of suggestions as to how to prevent the activity in the future based on best practices. 事件可以追溯分析,以审查误报, the opportunity to re分析 emerging events with existing data and prior activity could lead to the identification of latent threats that were previously undetected.

基础设施管理是困难的,让它更容易!

无论您处于基础设施管理的哪个阶段, 关注基本的安全实践是至关重要的, maintaining high visibility and management of what is on your network or in your cloud. 管理整个IT基础设施已经是一项极其复杂的任务, 而如今的商业环境只会增加额外的障碍, 比如经济的不确定性, 网络安全威胁, 劳动的挑战, 人们普遍期望用更少的钱做更多的事. IT基础设施管理CQ9电子 from Park Place Technologies can help your IT team take on increasing responsibilities in the face of current business challenges.

侨福管理CQ9电子™ is a comprehensive suite of managed IT infrastructure solutions that helps bring order to managing your organization’s critical infrastructure while minimizing chaos and accelerating business transformation. 了解有关此组合的更多信息 存储管理, CQ9电子器管理, 网络管理CQ9电子 今天!

作者简介

约翰Parlee,首席信息安全官