Need 150-word limit response for both below discussion post1 and post2
Please make sure quality work and No Plagiarism.
Follow APA guidelines.
Post1:
Security information and event management (SIEM or SIME) is an information security technology that allows security information to be shared between different security tools. SIEM combines log management, intrusion detection, threat monitoring, vulnerability assessment, and other tools to provide information about an organization’s security. By combining the reporting of different system logs, SIEM provides greater transparency into the security of a system, both inside and outside the organization(El Hajji et al., 2019). The normalization process is a set of changes to the SIEM framework to make it usable and scalable. The normalization process will improve the SIEM framework efficiency and provide the ability to handle any data and number of entities. For example, they may need to normalize the SIEM system in such a way that they want to count all the high records from a particular entity in all the SIEM instances in the organization. A SIEM is configured to detect and process the events, enabling them to extract valuable intelligence to enhance situational awareness as a SIEM is the most cost-effective and efficient data processing method(Chapple, 2021).
The security information and event management analysis are used to determine if a vulnerability exists. It determines if any exploits are being used against a network and what devices have been compromised. An event has been recorded in the past and correlates with a threat. It is done by analysing a high-security information and event management (SIEM) environment. In many circumstances, it is essential to have an analyst or human review every potential compromise. In today’s world, a breach may be perpetrated by a malicious insider, an automated hacker, or potentially an attacker through a remote network. An analyst needs to understand all the components involved in a compromise and all the technical methods used to carry out the attack(Chapple, 2021).
An analyst will need to understand the technical capabilities of a SIEM system. It includes: identifying which components have been compromised and their state; reviewing the traffic at the time of compromise and after reviewing all the data, network logs, and system logs that were captured during a compromise; and finally, understanding all of the technical methodologies used to carry out a breach. These are tools used by a subset of the security operations function managed by a central IT organization that also houses the information technology group responsible for managing information technology infrastructure and security technology. Using enterprise solutions comes with the additional requirement that the IT organization can help with data collection, analysis, and validation(El Hajji et al., 2019).
References
Chapple, M. (2021). Access control, authentication, and public key infrastructure. Jones & Bartlett Publishers.
El Hajji, S., Moukafih, N., &Orhanou, G. (2019, April). Analysis of neural network training and cost functions impact on the accuracy of IDS and SIEM systems. In International Conference on Codes, Cryptology, and Information Security (pp. 433-451). Springer, Cham.
Post2:
SIEM stands for Security Information Event Management. It is software used to collect logs and other information from different sources to identify threats and vulnerabilities. According to the author (Pratt, 2017), this software is a decade old mainly used to analyze usage patterns and log management. Unlike traditional applications that collect just the log data, SIEM uses different sources of information, accumulates data, and analyzes data as a whole. Such additional capabilities add more value to the organization to protect itself from threats and vulnerabilities.
Would a SIEM system be valuable if it did not normalize data? Why or why not?
Since SIEM collects data from various sources like Network logs, cloud, and on-prem devices, servers, instances, access points, etc., as raw format. Digging through just the application and usage logs itself is so tedious for analysts. The addition of information from all the sources mentioned above makes it tiresome even for senior analysts. Hence, normalization is a crucial feature for organizations dealing with massive data and usage. With normalization, SIEM makes it easy to read for both the humans as well as the systems. Without normalization, SIEM is just like any other log management tool. I think normalization makes SIEM software stronger than traditional log filtering and visualizing tools available in the market.
Does an organization that uses a SIEM system still need a human analyst? Why or why not?
The author of the article (Monge, 2019) stated that SIEM data conversion makes it easy for analysts to read and understand. The above statement implicitly explains that the application can improve the readability but not remove the necessity of having an analyst. Many vendors implemented Machine Learning capabilities (Monge, 2019) to the SIEM software making it more robust. But, an organization cannot rely solely on the SIEM software output. If I own an organization, I would never rely on SIEM software solely. Since analysts can think from different views and contexts, unlike software that uses just the predictions or a set of rules, analysts are still needed to understand the data. But SIEM can reduce the efforts of analysts to a certain degree with its advanced capabilities.
References
Monge, M. (2019, March 27). Siem event normalization makes raw data relevant to both humans and machines. Security Intelligence. https://securityintelligence.com/siem-event-normalization-makes-raw-data-relevant-to-both-humans-and-machines/.
Pratt, M. K. (2017, November 28). What is siem software? How it works and how to choose the right tool. CSO Online. https://www.csoonline.com/article/2124604/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html.