SIEMs

For those that are not familiar with the terminology SIEM, it stands for Security Information and Event Management. At a high level view, a SIEM is essentially a log server with the ability to analyze the data that it receives and trigger notifications on specific criteria. The ideal use case of a SIEM is to forward the logs of the following nodes in the network: Firewalls, Switches, Servers, DNS, IDS, and Endpoints (essentially anything that may generate a log), and generate alerts when anomalous activity occurs. Knowing what data to look for in your logs can be quite the challenge, but once you begin creating your first alerts, you will begin to think of additional use cases to alert on. Hopefully this information will give you a better understanding of what to expect from a SIEM as well as some enhancements you can implement to maximize your return on your SIEM solution.