0% found this document useful (0 votes)
8 views6 pages

Module2 Week3

Module 2 focuses on security tools, particularly Security Information and Event Management (SIEM) systems, which help organizations collect, analyze, and monitor log data to enhance security. The module discusses various types of logs, the importance of SIEM dashboards, and different SIEM tools like Splunk and Chronicle, highlighting their roles in identifying potential security incidents. Additionally, it addresses the evolution of SIEM tools in response to emerging threats and the significance of automation in improving security operations.

Uploaded by

krasymlsht
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
8 views6 pages

Module2 Week3

Module 2 focuses on security tools, particularly Security Information and Event Management (SIEM) systems, which help organizations collect, analyze, and monitor log data to enhance security. The module discusses various types of logs, the importance of SIEM dashboards, and different SIEM tools like Splunk and Chronicle, highlighting their roles in identifying potential security incidents. Additionally, it addresses the evolution of SIEM tools in response to emerging threats and the significance of automation in improving security operations.

Uploaded by

krasymlsht
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Module 2 Module 2

Week 3 Week 3

We'll continue to explore security tools and how they can help you keep organizations Because SIEM tools index and minimize the number of logs a security professional
and the people they serve safe. Security professionals often use a variety of tools to must manually review and analyze, they increase efficiency and save time.
address specific security challenges, such as collecting security data, detecting and
But, SIEM tools must be configured and customized to meet each organization's unique
analyzing threats, or automating tasks. Security tools help organizations achieve a more
security needs. As new threats and vulnerabilities emerge, organizations must
comprehensive security posture.
continually customize their SIEM tools to ensure that threats are detected and quickly
We'll begin by covering different types of logs, what they track, and how they're used. addressed.

Then we'll explore security information and event management, otherwise known as Later in the certificate program, you'll have a chance to practice using different SIEM
SIEM, dashboards. Finally, we'll discuss some common SIEM tools used in the security tools to identify potential security incidents.
industry. Let's get started.
Coming up, we'll explore SIEM dashboards and how cybersecurity professionals use
them to monitor for threats, risks, and vulnerabilities.

Logs and SIEM tools

As a security analyst, one of your responsibilities might include analyzing log data to SIEM dashboards
mitigate and manage threats, risks, and vulnerabilities. As a reminder, a log is a record
of events that occur within an organization's systems and networks. Security analysts We've explored how SIEM tools are used to collect and analyze log data. However, this
access a variety of logs from different sources. is just one of the many ways SIEM tools are used in cybersecurity.

SIEM tools can also be used to create dashboards. You might have encountered
Three common log sources include firewall logs, network logs, and server logs. Let's
dashboards in an app on your phone or other device. They present information about
explore each of these log sources in more detail.
your account or location in a format that's easy to understand.
A firewall log is a record of attempted or established connections for incoming traffic
For example, weather apps display data like temperature, precipitation, wind speed, and
from the internet. It also includes outbound requests to the internet from within the
the forecast using charts, graphs, and other visual elements. This format makes it easy
network.
to quickly identify weather patterns and trends, so you can stay prepared and plan your
A network log is a record of all computers and devices that enter and leave the network. day accordingly.
It also records connections between devices and services on the network.
Just like weather apps help people make quick and informed decisions based on data,
Finally, a server log is a record of events related to services such as websites, emails, SIEM dashboards help security analysts quickly and easily access their organization's
or file shares. It includes actions such as login, password, and username requests. security information as charts, graphs, or tables.

By monitoring logs, like the one shown here, security teams can identify vulnerabilities For example, a security analyst receives an alert about a suspicious login attempt. The
and potential data breaches. Understanding logs is important because SIEM tools rely analyst accesses their SIEM dashboard to gather information about this alert. Using the
on logs to monitor systems and detect security threats. dashboard, the analyst discovers that there have been 500 login attempts for Ymara's
account in the span of five-minutes. They also discover that the login attempts
A security information and event management, or SIEM, tool is an application that happened from geographic locations outside of Ymara's usual location and outside of
collects and analyzes log data to monitor critical activities in an organization. It provides her usual working hours. By using a dashboard, the security analyst was able to quickly
real-time visibility, event monitoring and analysis, and automated alerts. It also stores all review visual representations of the timeline of the login attempts, the location, and the
log data in a centralized location. exact time of the activity, then determine that the activity was suspicious.
Module 2 Module 2
Week 3 Week 3

tools are simply accessed through the internet and are an ideal solution for
In addition to providing a comprehensive summary of security-related data, SIEM organizations that don’t want to invest in creating and maintaining their own
dashboards also provide stakeholders with different metrics. Metrics are key technical infrastructure.
attributes such as response time, availability, and failure rate, which are used to assess
the performance of a software application. Similar to cloud-hosted SIEM tools, cloud-native SIEM tools are also fully maintained
and managed by vendors and accessed through the internet. However, cloud-native
SIEM dashboards can be customized to display specific metrics or other data that are tools are designed to take full advantage of cloud computing capabilities, such as
relevant to different members in an organization. For example, a security analyst may availability, flexibility, and scalability.
create a dashboard that displays metrics for monitoring everyday business operations,
like the volume of incoming and outgoing network traffic. Yet, the evolution of SIEM tools is expected to continue in order to accommodate the
changing nature of technology, as well as new threat actor tactics and techniques. For
We've examined how security analysts use SIEM dashboards to help organizations example, consider the current development of interconnected devices with access to
maintain their security posture. Well done! the internet, known as the Internet of Things (IoT). The more interconnected devices
there are, the larger the cybersecurity attack surface and the amount of data that threat
Coming up, we'll discuss some common SIEM tools used in the cybersecurity industry.
actors can exploit. The diversity of attacks and data that require special attention is
Meet you there.
expected to grow significantly. Additionally, as artificial intelligence (AI) and machine
learning (ML) technology continues to progress, SIEM capabilities will be enhanced to
better identify threat-related terminology, dashboard visualization, and data storage
functionality.
Previously, you were introduced to security information and event management (SIEM)
tools, along with a few examples of SIEM tools. In this reading, you will learn more The implementation of automation will also help security teams respond faster to
about how SIEM tools are used to protect organizational operations. You will also gain possible incidents, performing many actions without waiting for a human response.
insight into how and why SIEM tools are changing to help protect organizations and the Security orchestration, automation, and response (SOAR) is a collection of applications,
people they serve from evolving threat actor tactics and techniques. tools, and workflows that uses automation to respond to security events. Essentially,
this means that handling common security-related incidents with the use of SIEM tools
Current SIEM solutions is expected to become a more streamlined process requiring less manual intervention.
This frees up security analysts to handle more complex and uncommon incidents that,
A SIEM tool is an application that collects and analyzes log data to monitor critical consequently, can’t be automated with a SOAR. Nevertheless, the expectation is for
activities in an organization. SIEM tools offer real-time monitoring and tracking of cybersecurity-related platforms to communicate and interact with one another. Although
security event logs. The data is then used to conduct a thorough analysis of any the technology allowing interconnected systems and devices to communicate with each
potential security threat, risk, or vulnerability identified. SIEM tools have many other exists, it is still a work in progress.
dashboard options. Each dashboard option helps cybersecurity team members manage
and monitor organizational data. However, currently, SIEM tools require human Key takeaways
interaction for analysis of security events.
SIEM tools play a major role in monitoring an organization’s data. As an entry-level
The future of SIEM tools security analyst, you might monitor SIEM dashboards as part of your daily tasks.
Regularly researching new developments in SIEM technology will help you grow and
As cybersecurity continues to evolve, the need for cloud functionality has increased. adapt to the changes in the cybersecurity field. Cloud computing, SIEM-application
SIEM tools have and continue to evolve to function in cloud-hosted and cloud-native integration, and automation are only some of the advancements security professionals
environments. Cloud-hosted SIEM tools are operated by vendors who are responsible can expect in the future evolution of SIEM tools.
for maintaining and managing the infrastructure required to use the tools. Cloud-hosted
Module 2 Module 2
Week 3 Week 3

Because threat actors are frequently improving their strategies to compromise the
confidentiality, integrity, and availability of their targets, it's important for organizations to
Explore common SIEM tools use a variety of security tools to help defend against attacks. The SIEM tools we just
discussed are only a few examples of the tools available for security teams to use to
We'll cover some industry leading SIEM tools that you'll likely encounter as a security help defend their organizations. And later in the certificate program, you'll have the
analyst. First, let's discuss the different types of SIEM tools that organizations can exciting opportunity to practice using Splunk Cloud and Chronicle.
choose from, based on their unique security needs.

Self-hosted SIEM tools require organizations to install, operate, and maintain the tool
using their own physical infrastructure, such as server capacity. These applications are More about cybersecurity tools
then managed and maintained by the organization's IT department, rather than a third
party vendor. Self-hosted SIEM tools are ideal when an organization is required to Previously, you learned about several tools that are used by cybersecurity team
maintain physical control over confidential data. members to monitor for and identify potential security threats, risks, and vulnerabilities.
In this reading, you’ll learn more about common open-source and proprietary
Alternatively, cloud-hosted SIEM tools are maintained and managed by the SIEM
cybersecurity tools that you may use as a cybersecurity professional.
providers, making them accessible through the internet. Cloud-hosted SIEM tools are
ideal for organizations that don't want to invest in creating and maintaining their own
infrastructure. Open-source tools

Or, an organization can choose to use a combination of both self-hosted and Open-source tools are often free to use and can be user friendly. The objective of
cloud-hosted SIEM tools, known as a hybrid solution. Organizations might choose a open-source tools is to provide users with software that is built by the public in a
hybrid SIEM solution to leverage the benefits of the cloud while also maintaining collaborative way, which can result in the software being more secure. Additionally,
physical control over confidential data. open-source tools allow for more customization by users, resulting in a variety of new
services built from the same open-source software package.
Splunk Enterprise, Splunk Cloud, and Chronicle are common SIEM tools that many
organizations use to help protect their data and systems. Let's begin by discussing Software engineers create open-source projects to improve software and make it
Splunk. available for anyone to use, as long as the specified license is respected. The source
code for open-source projects is readily available to users, as well as the training
Splunk is a data analysis platform and Splunk Enterprise provides SIEM solutions. material that accompanies them. Having these sources readily available allows users to
Splunk Enterprise is a self-hosted tool used to retain, analyze, and search an modify and improve project materials.
organization's log data to provide security information and alerts in real-time. Splunk
Cloud is a cloud-hosted tool used to collect, search, and monitor log data. Splunk Cloud Proprietary tools
is helpful for organizations running hybrid or cloud-only environments, where some or all
of the organization's services are in the cloud. Proprietary tools are developed and owned by a person or company, and users typically
pay a fee for usage and training. The owners of proprietary tools are the only ones who
Finally, there's Google's Chronicle. Chronicle is a cloud-native tool designed to retain, can access and modify the source code. This means that users generally need to wait
analyze, and search data. Chronicle provides log monitoring, data analysis, and data for updates to be made to the software, and at times they might need to pay a fee for
collection. Like cloud-hosted tools, cloud-native tools are also fully maintained and those updates. Proprietary software generally allows users to modify a limited number
managed by the vendor. But cloud-native tools are specifically designed to take full of features to meet individual and organizational needs. Examples of proprietary tools
advantage of cloud computing capabilities such as availability, flexibility, and scalability. include Splunk® and Chronicle SIEM tools.
Module 2 Module 2
Week 3 Week 3

Common misconceptions Open-source tools are widely used in the cybersecurity profession. Throughout the
certificate program, you will have multiple opportunities to learn about and explore both
There is a common misconception that open-source tools are less effective and not as open-source and proprietary tools in more depth.
safe to use as proprietary tools. However, developers have been creating open-source
materials for years that have become industry standards. Although it is true that threat
actors have attempted to manipulate open-source tools, because these tools are open
source it is actually harder for people with malicious intent to successfully cause harm. Use SIEM tools to protect organizations
The wide exposure and immediate access to the source code by well-intentioned and
informed users and professionals makes it less likely for issues to occur, because they Previously, you were introduced to security information and event management (SIEM)
can fix issues as soon as they’re identified. tools and a few SIEM dashboards. You also learned about different threats, risks, and
vulnerabilities an organization may experience. In this reading, you will learn more
Examples of open-source tools about SIEM dashboard data and how cybersecurity professionals use that data to
identify a potential threat, risk, or vulnerability.
In security, there are many tools in use that are open-source and commonly available.
Two examples are Linux and Suricata. Splunk
Linux Splunk offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both
allow you to review an organization's data on dashboards. This helps security
Linux is an open-source operating system that is widely used. It allows you to tailor the professionals manage an organization's internal infrastructure by collecting, searching,
operating system to your needs using a command-line interface. An operating system is monitoring, and analyzing log data from multiple sources to obtain full visibility into an
the interface between computer hardware and the user. It’s used to communicate with organization’s everyday operations.
the hardware of a computer and manage software applications.
Review the following Splunk dashboards and their purposes:
There are multiple versions of Linux that exist to accomplish specific tasks. Linux and its
command-line interface will be discussed in detail, later in the certificate program. Security posture dashboard
Suricata The security posture dashboard is designed for security operations centers (SOCs). It
displays the last 24 hours of an organization’s notable security-related events and
Suricata is an open-source network analysis and threat detection software. Network trends and allows security professionals to determine if security infrastructure and
analysis and threat detection software is used to inspect network traffic to identify policies are performing as designed. Security analysts can use this dashboard to
suspicious behavior and generate network data logs. The detection software finds monitor and investigate potential threats in real time, such as suspicious network activity
activity across users, computers, or Internet Protocol (IP) addresses to help uncover originating from a specific IP address.
potential threats, risks, or vulnerabilities.

Suricata was developed by the Open Information Security Foundation (OISF). OISF is
Executive summary dashboard
dedicated to maintaining open-source use of the Suricata project to ensure it’s free and
The executive summary dashboard analyzes and monitors the overall health of the
publicly available. Suricata is widely used in the public and private sector, and it
organization over time. This helps security teams improve security measures that
integrates with many SIEM tools and other security tools. Suricata will also be
reduce risk. Security analysts might use this dashboard to provide high-level insights to
discussed in greater detail later in the program.
stakeholders, such as generating a summary of security incidents and trends over a
specific period of time.
Key takeaways
Module 2 Module 2
Week 3 Week 3

Incident review dashboard The data ingestion and health dashboard shows the number of event logs, log sources,
and success rates of data being processed into Chronicle. A security analyst might use
The incident review dashboard allows analysts to identify suspicious patterns that can this dashboard to ensure that log sources are correctly configured and that logs are
occur in the event of an incident. It assists by highlighting higher risk items that need received without error. This helps ensure that log related issues are addressed so that
immediate review by an analyst. This dashboard can be very helpful because it provides the security team has access to the log data they need.
a visual timeline of the events leading up to an incident.
IOC matches dashboard
Risk analysis dashboard
The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the
The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a organization. Security professionals use this dashboard to observe domain names, IP
specific user, a computer, or an IP address). It shows changes in risk-related activity or addresses, and device IOCs over time in order to identify trends. This information is
behavior, such as a user logging in outside of normal working hours or unusually high then used to direct the security team’s focus to the highest priority threats. For example,
network traffic from a specific computer. A security analyst might use this dashboard to security analysts can use this dashboard to search for additional activity associated with
analyze the potential impact of vulnerabilities in critical assets, which helps analysts an alert, such as a suspicious user login from an unusual geographic location.
prioritize their risk mitigation efforts.
Main dashboard
Chronicle
The main dashboard displays a high-level summary of information related to the
Chronicle is a cloud-native SIEM tool from Google that retains, analyzes, and searches organization’s data ingestion, alerting, and event activity over time. Security
log data to identify potential security threats, risks, and vulnerabilities. Chronicle allows professionals can use this dashboard to access a timeline of security events—such as a
you to collect and analyze log data according to: spike in failed login attempts— to identify threat trends across log sources, devices, IP
●​ A specific asset addresses, and physical locations.
●​ A domain name
●​ A user Rule detections dashboard
●​ An IP address
The rule detections dashboard provides statistics related to incidents with the highest
Chronicle provides multiple dashboards that help analysts monitor an organization’s occurrences, severities, and detections over time. Security analysts can use this
logs, create filters and alerts, and track suspicious domain names. dashboard to access a list of all the alerts triggered by a specific detection rule, such as
a rule designed to alert whenever a user opens a known malicious attachment from an
Review the following Chronicle dashboards and their purposes: email. Analysts then use those statistics to help manage recurring incidents and
establish mitigation tactics to reduce an organization's level of risk.
Enterprise insights dashboard
User sign in overview dashboard
The enterprise insights dashboard highlights recent alerts. It identifies suspicious
domain names in logs, known as indicators of compromise (IOCs). Each result is The user sign in overview dashboard provides information about user access behavior
labeled with a confidence score to indicate the likelihood of a threat. It also provides a across the organization. Security analysts can use this dashboard to access a list of all
severity level that indicates the significance of each threat to the organization. A security user sign-in events to identify unusual user activity, such as a user signing in from
analyst might use this dashboard to monitor login or data access attempts related to a multiple locations at the same time. This information is then used to help mitigate
critical asset—like an application or system—from unusual locations or devices. threats, risks, and vulnerabilities to user accounts and the organization’s applications.

Data ingestion and health dashboard Key takeaways


Module 2
Week 3

SIEM tools provide dashboards that help security professionals organize and focus their
security efforts. This is important because it allows analysts to reduce risk by identifying,
analyzing, and remediating the highest priority items in a timely manner. Later in the
program, you’ll have an opportunity to practice using various SIEM tool features and
commands for search queries.

You might also like