1 00:00:06,842 --> 00:00:10,200 - [Instructor] The Security Information and Event Manager 2 00:00:10,200 --> 00:00:11,945 or SIEM 3 00:00:11,945 --> 00:00:14,530 is a specialized device or software 4 00:00:14,530 --> 00:00:16,960 for security event management. 5 00:00:16,960 --> 00:00:20,280 It typically allows for the following functions. 6 00:00:20,280 --> 00:00:21,755 Log Collection 7 00:00:21,755 --> 00:00:25,910 which includes receiving information from devices 8 00:00:25,910 --> 00:00:28,380 with multiple protocols and formats, 9 00:00:28,380 --> 00:00:31,490 storing the logs and providing historical reporting 10 00:00:31,490 --> 00:00:33,511 and log filtering. 11 00:00:33,511 --> 00:00:35,975 Log Normalization 12 00:00:35,975 --> 00:00:40,149 which is a function that extracts relevant attributes 13 00:00:40,149 --> 00:00:43,710 from logs received in different formats 14 00:00:43,710 --> 00:00:48,688 and stores them in a common data model or template. 15 00:00:48,688 --> 00:00:53,688 This allows for faster event classification and operations. 16 00:00:53,810 --> 00:00:57,960 Non-normalized logs are usually kept for archive historical 17 00:00:57,960 --> 00:00:59,633 or forensic purposes. 18 00:01:00,910 --> 00:01:02,370 Log Aggregation 19 00:01:03,230 --> 00:01:05,880 is a function that aggregates information 20 00:01:05,880 --> 00:01:09,703 based on common information and reduces duplicates. 21 00:01:11,840 --> 00:01:14,020 Log Correlation 22 00:01:14,020 --> 00:01:17,670 is probably one of the most important functions of a SIEM. 23 00:01:17,670 --> 00:01:20,860 It refers to the ability of the system 24 00:01:20,860 --> 00:01:24,600 to associate events gathered by various systems 25 00:01:24,600 --> 00:01:28,250 in different formats and at different times, 26 00:01:28,250 --> 00:01:31,630 and creates a single actionable event 27 00:01:31,630 --> 00:01:34,883 for the security analyst to investigate. 28 00:01:36,080 --> 00:01:38,420 Often the quality of a SIEM 29 00:01:38,420 --> 00:01:41,713 is related to the quality of its correlation engine. 30 00:01:42,960 --> 00:01:47,040 Event Visibility is also a key functionality of a SIEM. 31 00:01:47,040 --> 00:01:50,882 Reporting capabilities usually include real time monitoring 32 00:01:50,882 --> 00:01:53,443 and historical based reports. 33 00:01:54,442 --> 00:01:56,810 Most modern SIEMs also integrate 34 00:01:56,810 --> 00:01:58,620 with other information systems 35 00:01:58,620 --> 00:02:01,620 to gather additional contextual information 36 00:02:01,620 --> 00:02:04,110 to feed the correlation engine. 37 00:02:04,110 --> 00:02:06,550 For example, they can integrate 38 00:02:06,550 --> 00:02:08,780 with an Identity Management System 39 00:02:08,780 --> 00:02:12,130 to get contextual information about users 40 00:02:12,130 --> 00:02:14,220 or with NetFlow Collectors 41 00:02:14,220 --> 00:02:17,526 to get additional flow-based information. 42 00:02:17,526 --> 00:02:21,327 Respectively, Cisco ISE and Cisco Stealthwatch 43 00:02:21,327 --> 00:02:24,757 are examples of an Identity Management System 44 00:02:24,757 --> 00:02:26,730 and a Flow Collector 45 00:02:26,730 --> 00:02:30,723 that are able to integrate with most of the SIEM systems. 46 00:02:31,870 --> 00:02:35,650 Several commercial SIEM systems are available. 47 00:02:35,650 --> 00:02:38,340 Cisco partners with several vendors 48 00:02:38,340 --> 00:02:41,393 that offer seamless integration with Cisco products. 49 00:02:42,886 --> 00:02:45,400 The tools in a SOAR are evolving 50 00:02:45,400 --> 00:02:47,771 and so are the methodologies as well. 51 00:02:47,771 --> 00:02:51,706 For example, nowadays we have security analysts 52 00:02:51,706 --> 00:02:54,739 not only responding to basic cyber events 53 00:02:54,739 --> 00:02:58,183 but also performing threat hunting in their organization. 54 00:02:59,320 --> 00:03:04,110 Security Orchestration, Automation and Response or SOAR 55 00:03:04,110 --> 00:03:06,527 is a set of solutions and integrations 56 00:03:06,527 --> 00:03:11,527 designed to allow organizations to collect security threats, 57 00:03:11,659 --> 00:03:15,970 data and alerts from multiple sources. 58 00:03:15,970 --> 00:03:19,890 Security Orchestration, Automation and Response platforms 59 00:03:19,890 --> 00:03:24,490 take the response capabilities of a SIEM to the next level. 60 00:03:24,490 --> 00:03:28,543 SOAR solutions supplement rather than replace the SIEM. 61 00:03:30,227 --> 00:03:33,690 It allows the cyber security team to extend its reach 62 00:03:33,690 --> 00:03:37,823 by automating the routine work of cybersecurity operations. 63 00:03:39,469 --> 00:03:41,972 Unlike traditional SIEM platforms, 64 00:03:41,972 --> 00:03:45,610 a SOAR solution can also be used 65 00:03:45,610 --> 00:03:48,160 for threat and vulnerability management, 66 00:03:48,160 --> 00:03:49,590 security incident response 67 00:03:49,590 --> 00:03:52,083 and security operation automation. 68 00:03:54,320 --> 00:03:58,000 Deploying SOAR and SIEM in solutions together 69 00:03:58,000 --> 00:04:00,733 makes the life of a SOC analyst easier. 70 00:04:01,840 --> 00:04:04,777 SOAR platforms accelerate incident response detection 71 00:04:04,777 --> 00:04:06,830 and eradication times 72 00:04:06,830 --> 00:04:10,378 since it can automatically communicate information 73 00:04:10,378 --> 00:04:15,010 collected by a SIEM with other security tools. 74 00:04:15,010 --> 00:04:18,760 Many traditional SIEM vendors are changing their products 75 00:04:18,760 --> 00:04:22,543 to offer a hybrid SOAR-SIEM functionality.