This article briefs about Security Information and Event Management (SIEM) and how it can be implemented through Elastic Stack.
Join the DZone community and get the full member experience. With increased Cybersecurity challenges, firms are constantly battling to bring down the Mean Time to Detect/Discover (MTTD) of security threats. This is critical for multiple aspects such as customer satisfaction, legal compliance, and creditability of the organizations. The organization needs to identify, communicate and mitigate an issue before the user does. As an extension to my earlier article on Cybersecurity Trends, let us explore how Security Information and Event Management (SIEM) can be achieved through Elastic. Before getting into nuances of SIEM on Elastic, let us refresh the basics: SIEM: SIEM comprises of Security Information Management (SIM) and Security Event Manager (SEM) to provide real-time security alerts generated by data, applications, and network infrastructure. Security Information Management: Storage, analysis, and reporting of log data (inclusive of audit logs which are essentials to analyze the anomalies). Security Event Manager: Analyzes the data collected through SIM, provides real-time monitoring and alerts based on business rules. To have a better SIEM implementation, the following are some key steps: The below capabilities might sound similar to feature engineering in Data Science since SIEM detection rules and engines are built on similar objectives. Elastic Stack: We explored Elastic Stack five years ago for one of our smart search solutions and I liked the performance and scalability apart from the intended functionalities of enterprise search, auto-completion/suggestion/correction.
