Event Management AND Security information | IT NETWORKS

-
Security Information and Event Management or SIEM, grew out of two requirements. One was to contend with the flood of alerts issued from IPS or Intrusion Prevention Systems and IDS or Intrusion Detection Systems which were overwhelming security teams.

IDS were used to measure and prove compliance to various legislations. A deluge of compliance legislation appeared in the first two decades of the twenty-first century in reply to numerous high-profile network breaches.


In the other hand, the technology needed several things:

First, logs aggregation from many network sources, such as network and security devices, servers and databases, and applications into a central repository for analysis and pattern detection.
Second, storing data logs for a period of time to satisfy auditing requirements.
Third, correlation, monitoring and notifying events in real-time.


siem - no copyright photo



 SIEM is primarily an information platform. As CyberAttacks became more sophisticated and stealthy, demands for information about a CYBERATTACK, it's characteristics, its purpose and the degree to which it had penetrated the networks, grew louder.

Another alarming fact was that the security teams very often did not discover a breach until many months after it had occurred, and then it was more often discovered by a third party then internal security.



IT Security needed a global overview of what is happening in the network and the real-time data that the SIEM collected was identified as a valuable asset to leverage. In the second stage of development, threat detection capabilities with built-in threat intelligence, historical and real-time analytics, and user and entity behaviour analytics or (UEBA) were added.


Recently machine learning became a part of SIEM's tools and is particularly needed when sifting through Big DATA.

Another issue that beleaguered SIEM was the effort involved to configure and set it up than integrate it into the network and use it.
It was kind of complex and not so clear to use and demanded a very skilled person to manage and identify attacks.
Also, everything became more sophisticated and hard to manage because IT infrastructures weren't homogenous.


In nowadays SIEM products, most of them are based on machine learning which solved too many problems and issues. Machine learning made it easy to detect attacks and identify issues in addition to its configuration and implementation which became more automated.


Learn more:

In Programing

How to install PYTHON 3.8.0 :
https://itnetworks2020.blogspot.com/2019/12/1-programming-with-python-installing.html

In Security

Endpoint introduction :
https://itnetworks2020.blogspot.com/2019/10/endpoints-introduction.html

Firewalls:
https://itnetworks2020.blogspot.com/2019/10/firewalls.html

Security Email Gateways:
https://itnetworks2020.blogspot.com/2019/10/secure-email-gateway.html

CyberSecurity Evolution : UnKnown Threats:
https://itnetworks2020.blogspot.com/2019/10/cybersecurity-evolution-unknown-threats.html

CyberSecurity Evolution : Known Threats
https://itnetworks2020.blogspot.com/2019/10/cybersecurity-evolution-known-threats.html








Location: États-Unis

Comments

Post a Comment

Popular Posts

Network Access Control NAC | IT NETWORKS

-
Image
Network Access Control NAC It's something that controls access to the network. And at its simplest level, this is what NAC does.  But if that's all that it was, then it wouldn't be fundamentally different from a network authentication and authorization server. Traditional authentication to the network follows the IEEE 802.1X standard that provided an authentication method to devices wishing to join a Local Area Network (LAN) or wireless LAN. 802.1X Wireless/Wired Authentication The mechanism was a port-based network access control which used agents, the software running on client devices that provide credentials to the authenticator to control access to the network. Another means to control access to a public network such as one serving a coffee shop or in a hotel, is a captive portal. If you've ever connected to a network in an airport, hotel, or coffee shop, you might recall interacting with a web page, sometimes agreeing t
Read more

CISCO : Dynamic Multipoint Virtual Private Network (DMVPN) | ITNETWORKS

-
Image
1- Definition   DMVPN is a technology that's used in secure networks exchanging data between them without needing to redirect traffic through a  headquarter  server  or router . Dynamic Multipoint VPN ( DMVPN ) is a Cisco IOS Software solution for building reliable IPsec Virtual Private Networks (VPN). DMVPN basically is a centralized architecture that provides easier management and implementation for deployments that need very specific access controls, authorizations and restrictions for diverse branches, users, applications and partners. DMVPN + IPSEC 2- Benefits DMVPN provides the ability to create dynamic VPNs without configuring static tunnels between remote peers, including Internet Protocol (IP), IPSEC and Key Management Protocol (ISAKMP peers).   DMVPN is designed  to make HUB-AND-SPOKE   topology  by statically configuring the hub IP address on the spokes, no other changes are needed  in the configuration ns of the hub to accept ne
Read more

Issues with CISCO WIRELESS Controller (And resolution) | IT NETWORKS

-
Image
On Cisco Wireless controller 5520, The Access POINTS try to join the Controller by bringing up a connection through the CAPWAP Tunnel, you can see these attempts through the AP log itself. The problem is that the DHCP server when trying to serve IP Addresses it shows the error BAD_ADDRESS in front of each IP assigned. So I Took a single access point, started debugging it, after that, I noticed that the CAPWAP connection was empty of errors BUT!! it was trying to resolve this name  CISCO-CAPWAP-CONTROLLER This resolution is made with DNS protocol, of course, I honestly wasn't so sure of what I was doing, so I added a new entry in my DNS server and it's corresponding IP was the Controller's after that magically all the Access Points where UP and showed UP on my controller. The controller I'm working with is the CISCO WIRELESS CONTROLLER 5520 Model:  AIR-CT5520-K9 Software Version:  8.3.150.0 Image of the controller Learn
Read more