Improving Security with SIEM Reports and Alerts

Enterprise Security Magazine | Friday, November 30, 2018

Coordination is of foremost importance with regard to managing a data center efficiently. In addition to monitoring performance trends, system access, and power consumption on a daily basis, security information and event management (SIEM) strengthens a data center’s security significantly. In order to create a productive SIEM environment, it is necessary to determine events that mandate manual intervention and the requirement of reports that are needed on a regular basis.

Organizations can use overall reports to widen the scope of their SIEM coverage. While selecting an initial reporting structure, organizations must focus on what exactly they aim to track, when, and from where, along with recognizing the type of authentication device used. Encompassing all this information, SIEM reports commonly include user activity, configuration change, incident tracking, monthly summary, and on-demand operational reports. With the help of each of these details, organizations can manage the frequency of reports, the administrator corresponding to each of these reports, and also the steps to be implemented in case of any inconsistencies in the data.

Although SIEM tools are capable of alerting organizations with all the probable events, the setting up of baseline alerts is mandatory. These basic alerts can help organizations get their SIEM systems up and running quickly. Organizations can further add more specific alerts to these basics as per the requirements of their software. Basic SIEM alerts can be categorized into user authentication, network attacks, web server activity, unknown source attacks, host-level activity, and log source activity. The specific alerts that add more clarification can involve failed login source, repeat logins from the same IP within a minute, failed login target, and multiple intrusion detection systems alerts from the same IP address.

Not only do these systems provide a general view of the activities with an organization’s data center but also the information about who is accessing everything. Furthermore, alerts associated with antivirus notify organizations of attacks along with providing updates on software intervention. Alerts for more specific attack sources as well as unknown attacks include traffic from blacklisted sources, repeat attacks, multiple infected hosts, excessive connection outbreaks, and IP addresses targeting a particular host. Also, by automating the SIEM reports, organizations can program attack responses and also sort all the alerts efficiently.

Weekly Brief