Cisco-Ausbildung

Insoft Services ist einer der wenigen Schulungsanbieter in EMEAR, der ein umfassendes Angebot an Cisco-Zertifizierungen und spezialisierten Technologieschulungen anbietet.

Lesen Sie mehr

Cisco Zertifizierungen

Erleben Sie einen Blended-Learning-Ansatz, der das Beste aus von Lehrern geleiteten Schulungen und E-Learning zum Selbststudium kombiniert, um sich auf Ihre Zertifizierungsprüfung vorzubereiten.

Lesen Sie mehr

Cisco Learning Credits

Cisco Learning Credits (CLCs) sind Prepaid-Schulungsgutscheine, die direkt bei Cisco eingelöst werden und die Planung für Ihren Erfolg beim Kauf von Cisco-Produkten und -Services erleichtern.

Lösen Sie Ihre CLCs ein

Cisco Continuing Education

Das Cisco Continuing Education Program bietet allen aktiven Zertifizierungsinhabern flexible Optionen zur Rezertifizierung, indem sie eine Vielzahl von in Frage kommenden Schulungselementen absolvieren.

Lesen Sie mehr

Cisco Digital Learning

Zertifizierte Mitarbeiter sind GESCHÄTZTE Vermögenswerte. Erkunden Sie die offizielle Digital Learning Library von Cisco, um sich durch aufgezeichnete Sitzungen weiterzubilden.

CDLL-Katalog

Cisco Business Enablement

Das Cisco Business Enablement Partner Program konzentriert sich auf die Verbesserung der Geschäftsfähigkeiten von Cisco Channel Partnern und Kunden.

Lesen Sie mehr

Cisco Schulungskatalog

Lesen Sie mehr

Technische Zertifizierung

Das Fortinet Network Security Expert (NSE) -Programm ist ein achtstufiges Schulungs- und Zertifizierungsprogramm, um Ingenieuren ihre Netzwerksicherheit für Fortinet FW-Fähigkeiten und -Erfahrungen beizubringen.

Technische Kurse

Fortinet-Ausbildung

Insoft ist als Fortinet Authorized Training Center an ausgewählten Standorten in EMEA anerkannt.

Lesen Sie mehr

Fortinet Schulungskatalog

Lesen Sie mehr

ATC Status

Überprüfen Sie unseren ATC-Status in ausgewählten Ländern in Europa.

Lesen Sie mehr

Fortinet Service-Pakete

Insoft Services hat eine spezielle Lösung entwickelt, um den Prozess der Installation oder Migration zu Fortinet-Produkten zu rationalisieren und zu vereinfachen.

Lesen Sie mehr

Microsoft-Ausbildung

Insoft Services bietet Microsoft-Schulungen in EMEAR an. Wir bieten technische Schulungen und Zertifizierungskurse von Microsoft an, die von erstklassigen Instruktoren geleitet werden.

Technische Kurse

Extreme-Ausbildung

Erfahren Sie außergewöhnliche Kenntnisse und Fähigkeiten von Extreme Networks.

Technische Kurse

Technische Zertifizierung

Wir bieten einen umfassenden Lehrplan für technische Kompetenzen zur Zertifizierung an.

Lesen Sie mehr

Extreme Schulungskatalog

Hier finden Sie alle Extreme Networks online und den von Lehrern geleiteten Kalender für den Klassenraum.

Lesen Sie mehr

ATP-Akkreditierung

Als autorisierter Schulungspartner (ATP) stellt Insoft Services sicher, dass Sie die höchsten verfügbaren Bildungsstandards erhalten.

Lesen Sie mehr

Lösungen & Dienstleistungen

Wir bieten innovative und fortschrittliche Unterstützung bei der Konzeption, Implementierung und Optimierung von IT-Lösungen. Unsere Kundenbasis umfasst einige der größten Telcos weltweit.

Beratungspakete

Ein weltweit anerkanntes Team von zertifizierten Experten unterstützt Sie bei einem reibungsloseren Übergang mit unseren vordefinierten Beratungs-, Installations- und Migrationspaketen für eine breite Palette von Fortinet-Produkten.

Über uns

Insoft bietet autorisierte Schulungs- und Beratungsdienstleistungen für ausgewählte IP-Anbieter. Erfahren Sie, wie wir die Branche revolutionieren.

Lesen Sie mehr
  • +49 6151 277 6496
  • Security Information and Event Management (SIEM)

    20th May, 2022

    Let’s talk about SIEM. Are you having consistent challenges with responding to threats, breaches and related incidences? Do you find it increasingly draining to get to the root cause of breaches in light of the increasing numbers of attacks and related downtimes in your network? If yes, a SIEM solution is just what you may need.

    More often than not, the above pain points are brought about by a lack of collaborative efforts between the Network Operations Center (NOC) and the Security Operations Center (SOC). The NOC is primarily interested in network performance and uptime while the SOC teams are primarily focused on network security, regulations, and compliance.

    To further deepen the disconnect, they each make use of a diverse variety of tools and software that are not integrated so as to give a global view of the enterprise’s overall network. These factors introduce a complex monitoring and reporting environment which increases the likelihood that threats and breaches can go undetected for some time.

    What is SIEM software?

    Security information and event management (SIEM) software give enterprise security professionals a better handle on events within the enterprise. This is done through the collection of Security Information and Event Management (SIEM) network and security logs, in a central repository from multiple diverse sources e.g access points, active directory and database servers, routers, switches, firewalls, intrusion detection, and prevention systems, etc. SIEM is a fundamental element of a successful Cyber Resilience strategy.

    SIEM Requirements:

    A SIEM must be aware of what is attached to the network and be able to collect event and log data from all of those attached items. FortiSIEM is the only SIEM tool in the market that has a self-learning, real-time asset discovery and device configuration engine built into its platform. SIEM does parsing, data normalization and categorization on any type of device, as long as it’s able to send logs to it.

    SIEM software should have an intelligent context, such that it is able to identify the specific kinds of running devices, applications, servers, and their corresponding configurations among other data so as to add relevant context to the events and notifications. This is a critical element of ensuring the SIEM product doesn’t raise false alarms.

    SIEM software also requires that it is fed quality data for maximum yield; the bigger the data source you give it, the better it gets and the better it can see outliers.

    How SIEM works:

    SIEM software collects and aggregates log data generated throughout the enterprise’s endpoints, applications, firewalls, and antivirus filters.

    SIEM delivers on the below objectives, which are to:

    • Provide near-real-time analysis. SIEM systems focus on providing faster identification, analysis, and recovery. It could for instance help detect zero-day attacks.
    • Align enterprises with auditing and regulatory requirements e.g PCI and HIPAA. SIEM generates automated compliance reports whilst sending notifications to relevant personnel. For instance, the SIEM receives an alert from Active Directory or RADIUS stating that it has detected a Repeat Attack_Login attack (3 or more failed login attempts in 60 seconds) against one of the hosts. A notification is then sent to a security administrator.
    • Automated cross-correlation and analysis of all the raw event logs from across the entire network. A SIEM’s differentiating factor from a typical log collector is in its ability to cross-correlate data from multiple different threat feeds and system data before determining the threat level of an incident.
    • Convert security events and log data into visually appealing charts to assist in seeing patterns.
    • Enable Forensic Analysis: The ability to search across logs on different nodes and time periods based on specific criteria.

    SIEM Challenges:

    Security teams often start by chasing down a staggering amount of false alerts. False alerts are one of the most nagging challenges in implementing reliable cybersecurity initiatives. These refer to “useless” alerts that end up wasting an enterprise’s SOC teams time since they are not real threats.

    According to Cisco’s 2017 Annual Cyber Report: The Hidden Danger of Uninvestigated Threats. Only 28% of security alerts that are investigated turn out to be legitimate, from these, only 46% are remediated, meaning 54% of legitimate threats are not resolved!

    This is partly a result of the redirection of the SOC team’s effort to investigate false alerts. So how exactly can an enterprise deal with false alerts?

    Dealing with False Alerts:

     

    • Clearly define false alerts. If a trouble ticket is consistently created with no tangible immediate action specified, it probably is a false alert. Such alerts can be removed from the ticketing system and only included in a report.
    • Turn off the default rules that don’t apply in your environment, for instance, a SQL injection attack rule if there’s no SQL server installed in your network.
    • Finetune the rules to match your unique environment thresholds. This requires time though. After installation, monitor your environment to determine the most appropriate thresholds for various attributes, for instance, what is normal and abnormal traffic.
    • Implement a SIEM solution that has intelligent context capabilities. It should be able to cross-correlate event data from multiple feeds simultaneously and intelligently come to a reliable conclusion as to whether a threat is real or not.
    • Adjust SIEM product criticality to match your environment. Most default vendor settings are too high for most settings. This you will soon notice after having the SIEM in operation for a while. Save yourself the pain!
    • Use a high quality regularly updated threat feed and geolocation data. This will help add more context to your events and logs. For instance, if a source IP is from a known hacker cell, the criticality of such a log is increased to high. Geolocation data also helps determine whether the traffic is internal, remote or foreign traffic. Low-quality threat feeds could actually increase the number of false alerts!
    • Avoid duplication. If a firewall blocks some kind of traffic, don’t raise an alert ticket on what has already been blocked! What’s the point of having the firewall device installed in the first place?

    Proactive organizations will learn to tune the tooling over time so that the SIEM understands what are normal events and thereby reduce the number of false alerts. After getting a false alert, make an adjustment to your SIEM so that it doesn’t catch that again. Fine Tuning should be done often to reflect both internal changes e.g the commissioning and decommissioning of devices, changes in the global threat landscape, etc.

    Managing SIEM is a resource-intensive process that requires regular evaluations and adjustments to maintain optimal performance. Despite this, going without a SIEM solution isn’t the answer, because this can leave you vulnerable to attack. With this in mind, many IT professionals don’t know how to do this efficiently, thus, expert SIEM consultancy may be required.

    To develop proficiency with accurately managing SIEM products, you can sign up for an Insoft instructor-led FortiSIEM training here.

    SIEM Tools and Vendor Selection

    SIEM tools come in both paid-for commercial offerings and free open-source alternatives. Different SIEM tools draw their strength from a myriad of different features and capabilities, so it’s upon you to carefully choose one that addresses your enterprise needs.

    There are a couple of leading vendors, including Solar Winds, HPE, IBM, Splunk, Fortinet, and Intel, we also have open-source SIEM tools which are supported by the community. They are not vendor backed, hence they may not be as reliable; especially in critical enterprise-grade environments. Some of the best free open-source SIEM tools include Elasticsearch, ELK Stack, Ossim, Splunk Free and Ossec.

    FortiSIEM Case Study:

    FortiSIEM is a SIEM product manufactured by Fortinet. It offers SOC and NOC data correlation capabilities. It collects and normalizes a variety of logs, for instance, transaction, SNMP, connection, application and user logs.

    These logs are then used for IT network and security monitoring and troubleshooting, consequently enabling organizations to eliminate blind spots by monitoring and analyzing a diverse set of events from multiple sources. Organizations, therefore, get an upper hand when it comes to the identification of threats and their root causes for even more agile remediation.

    In addition to security metrics, FortiSIEM also monitors infrastructure resource utilization, application health, performance and availability metrics. The collection of all these data is done at a set polling interval. The results are converted into logs, which follow the typical SIEM processing logic. You can also read more about What is SIEM software? How it works and how to choose the right tool here.

    More Blogs for you:

    Relevant Exams: Fortinet NSE 5