SIEM & ELK Stack: Cyber Security Concept
Security is the most important part for any organization, an organization with no security measures, is definitely a noob at its services. Now that we are learning about security there are a lot of different fields into cyber security one of which is SOC Analyst that I have been keen to learn about. So, I was introduced to SIEM to understand how, what, and why it is used in cybersecurity. Let's take a closer look at what SIEM is and how it functions.
In cybersecurity, a SIEM tool provides companies with advanced monitoring and analysis capabilities, allowing them to track infrastructure activities, identify events, and detect threats before they can impact services or products. To better understand, it tracks everything that has been taken place on a certain device where this tool has been installed.
Data Collection: SIEM tools collect log data and security events from various sources across the IT infrastructure. What exactly it collects as logs ? The data collected can be anything from login attempts, file access, network traffic, configuration changes, to application-specific events.
Data Normalization and Correlation: Once the data is collected, the SIEM tool normalizes it, converting different types of logs into a common format. This makes it easier to analyze and correlate data from different sources. The tool then correlates these events to identify patterns that might indicate a security threat. For example, multiple failed login attempts from a single IP address followed by a successful login might trigger an alert for a potential brute-force attack.
Monitoring and Real-Time Analysis: SIEM tools provide real-time monitoring and analysis of the collected data. They continuously track activities on all monitored devices, generating alerts for suspicious or unusual behavior. This real-time capability allows security teams to respond quickly to potential threats, often before they can cause significant damage.
Threat Detection and Response: By analyzing the correlated data, SIEM tools can detect various types of threats, such as malware, insider threats, data exfiltration, and more. When a potential threat is detected, the SIEM tool can generate alerts, trigger automated responses, or initiate workflows for incident response.
Compliance Reporting: SIEM tools often include reporting capabilities that help organizations meet regulatory compliance requirements. They can generate reports on security events, user activities, and other metrics that are required.
There are some rules that are set into SIEM tools for threat detection, few of them are predefined from MITRE & some are set as custom according to user requirements. This tool not just tracks devices logs and events but can also track a user behavior of an employee working on device provided by firm. Which can be later used to analyze any misuse or illegal activities performed via company asset by a user. .
This is the the best article that I found to understand ELK & more about SIEM : ELK-SIEM Blog
To Understand an installation of ELK I would recommend this resource : Install ElasticSearch Logstash and Kibana on Windows 10 (ELK Stack) (Elastic Stack)
There is a lot to talk about this tool and techstack, Later will definitely share insight on SIEM & ELK with detailed understanding of SOC Analyst role that i have been very much interested to learn about.
