Hi everybody, Ed Amoroso here and in this video I want to talk to you about something called a SIEM, S-I-E-M, security information event management system SIEM. Here's what this is, it sort of is the result of cybersecurity teams working in enterprise or government, defenders, noticing that lots of things generate audit logs, right? If you've been with us on previous videos, you'll now we talked about how operating systems can generate log files, right. We talked about how applications like your browser can generate information about activity. We talked about how networks can generate information and it might be internally generated or externally. So you got all this stuff flying around, all these logs. In the worst case you'd have some tool that would help you make sense of each audit log that would be different for each log. Right so, one for your application that does this and that. Another for another application, another for your operating system, a bunch for network. You'd have all these tools all over the place trying to make sense of audit logging and activity. And we talked also in some previous videos about the concept of security hunting, thread hunting. So the thread hunter might have 50 screens around the table trying to make sense out of all these logs. That's kind of crazy, it doesn't make sense. So what we started to see in our industry was the design of something called a SIEM. And here is what a SIEM is. It has the ability to translate, to accommodate a model, all of these logs. So here is the idea. Say an application system is generating log information. If I fed it into a sim where I have a connector that takes the log information and creates some standard template what happened? What time? What system is it from? What's the relative threat estimate for this and on and on and on. For all these things I can put it into a standard template. And let's say I also on some operating system, a Linux system, that's spitting audit log information in a totally different format. If I can build a translator, sometimes called a connector as well, a connector that will take that data, put it the same format. What happened? Who did it? What time, whatever fields I 'd said previously, do that all the same. You have a common data model with multiple feeds that are heterogeneous, they're different, they're diverse, they come from different places. But if I can dump it and spill it into one common model, then the thread hunter can compare things. Like my application sees some weird hacking going on and it happens to be coming from some place on the Internet. 192.1.2.3 notices that, that's in the application log, and I dump it into the SIEM. The operating system which has nothing to do with the application might even be the app runs on some other system. This OS might see hacking also at its kernel, coming from 192.1.3 right? How interesting is that? The SIEM then could, the hunter could say hey, tell me any of the IP address that looks like it's hitting two or more things, and boom! Immediately you'd see that IP address is hitting this and hitting that and I'd get it, because I have a common data model. That's the power of a SIEM, really good idea. Now what do you think would be hard about running a SIEM? Developing connectors, right. [LAUGH] There's stuff all over the place, there's apps and mainframes and systems and mobiles and tools and that. It seems that when you're running an environment that has a SIEM all you're ever doing is connectors. Now vendors who sell these tools market their capability based on their preintegration with other types of things that you might have. Now, you can imagine that with cloud, it's not just systems you're connecting to. But it could be these as a service virtual capabilities, like Office 365 and Amazon Web Services and other things that I also have to somehow ingest into the SIEM. Turns out, it's kind of complex if we show a diagram here that just shows all sorts of different things, servers and apps and firewall and IDS and other SIEMs and all of this. And then what comes out of the SIEM is the ability to do analysis, incident response and certainly to generate reports. So this is a powerful tool. It's something that by all means if you work in an enterprise environment, you will have a SIEM. You may have many of them and the typical thread hunter does most of his or her work in and around the data that gets dumped into a security information event management system. Hope this has been useful, see you in the next video.
