What is SIEM?

We offer development and optimization of the SIEM on the basis of the Elastic Stack.

SIEM (Security Information and Event Management) — combine two terms of scope: SIM (Security Information Management) — information security management and SEM (Security Event Management) — Management of security events.

SIEM systems are not designed and not able to prevent incidents of breach of information security.

SIEM technology provides the collection and analysis of real-time security events generated by network devices and applications, and then stored in databases, reporting, and analysis of behaviour based on previous observations. SIEM represented as software and/or hardware.

About Elastic Stack

Elastic Stack is represented by three independent Open Source products combined into one powerful solution for a wide range of applications for data storage and processing.

The complex consists of Elasticsearch, Logstash and Kibana. Logstash collects and processes data of the registered events. For data storage and retrieval meets Elasticsearch. Kibana to visualize the data, indexed by Logstash, using the web interface.

Compared with the traditional SIEM solution based on Elastic Stack, despite the need to adapt some features to the task of information security has a number of significant advantages. Consider some of them.

Centralized management of logs

Collection, aggregation and normalization of related logs from various security sources such as firewalls, DLP, IDS/IPS, anti-virus software, etc. Raising awareness events additional data such as geolocation and external threats, including the falsification of IP-addresses and domain names.

The full functionality of a traditional SIEM is often not implemented in full due to licensing restrictions on the software and/or the use of proprietary hardware. In turn, the Elastic Stack as OpenSource product similar problems (restrictions) is not experiencing and gives the user greater freedom of action.

Elastic Stack allows you to log any security-related data. This gives the opportunity to produce a more complete security analysis.

Traditional SIEM, generally use their own embedded or relational database that imposes restrictions on performance, the amount of processed data and the flexibility of their sample.

Search

Viewing previously recorded events with the aim of identifying potential threats to legal expertise and analysis of root causes of incidents held.

Thanks to the power of Elasticsearch, including full-text search solution on the basis of Elastic Stack available all data related to safety.

Flexibility and search performance of a traditional SIEM is limited by data storage technologies, purposes and logic of the developers of these products. Most of them can only index the data logs.

Basic analysis security

Detection of threats or facts of committing attacks on the basis of one or more sets of data using correlation rules In addition to finding established monitoring rules for a typical “negative” events and actions. The results are combined with advanced analysis.

Traditional SIEM often contain a large number of pre-configured “correlation rules” or “dashboards”.

Advanced security analysis

Includes detection of deviations (potential errors) by using machine learning such as:

rare events
the combination of atypical events that differ from previously registered patterns of behavior
events in which one of the components is not consistent with the other components
So as is the analysis of dependencies among the detected abnormalities, advanced analysis, and graphical representation of detected deviations, simulation of probable events.

Here, the majority of SIEM have a clear the backlog of Elastic Stack, while constantly working in this direction. Although, as the advantages typically have tools for assessing threats and risks.

Insitu’s offer

Having extensive experience in developing solutions based on Elastic Stack, and maximizing the benefits of this software product, we are ready to its base to offer You a solution as SIEM.
The modular structure of the solution gives the advantage to optimize the performance and cost of the solution. Advanced features Elastic Stack can and should be used for analysis and optimization of computing infrastructure in matters not directly related to information security.