INVITATION TO CYBERSECURITY 214 Security information and event management (SIEM) is the process of aggregating logs and analyzing them for suspicious activity. Because of the vast volume of logs that are collected, software takes the first pass at analyzing logs looking for anomalous activity. If it finds anything suspicious, it can create an alert that can be investigated by a human being. Anomalous activity is defined by a baseline of normal activity. Therefore, this type of software might require a period of training and fine tuning. For example, if it is normal for users to login to the network from foreign countries, then those types of logins will be ignored—otherwise, they would be highly suspicious and trigger an alert. False positives and false negatives are two different errors that can occur in alerting systems. In this context, a false positive is an alert that turns out to be normal activity. A false negative is when there is malicious activity but no alerts are generated. These two errors are in tension because attempts to reduce one increase the other. False positives are inefficient because they waste time. Plus, they may have the adverse effect of causing alert fatigue. The more alerts that are investigated that end up being normal activity, the more likely future alerts are to be ignored, like the boy who cried wolf in the fable. On the other hand, false negatives are also clearly a problem. If a hacker has been inside an organization for months and all of the evidence of his presence was in the logs but went unnoticed, then the organization’s processes around analyzing logs and creating alerts was clearly deficient. AI promises to improve the ability of SIEMs to reduce false positive and false negative alerts and is an important area of cyber research and development. SIEM systems aggregate logs from multiple different sources. This provides significant advantages. For one, because the logs are centralized, they can all be viewed in one place using the same platform and functionality. Logging platforms differ widely in how they store and present data for searching and viewing. Learning many different platforms and switching and translating between them is inefficient. For example, different logging systems may use different scales for alert levels and different categories for similar events. Logs are vendor specific. But with a SIEM platform, all logs are brought under one umbrella and converted so that they fit under a common standard. Plus, SIEM interfaces are designed to be intuitive to use and include advanced features for analyzing logs. They make it easy to search for and view logs and to sift through them to find events of interest. Another benefit of log aggregation is that it can expose wider patterns that indicate nefarious activity that would go unnoticed if logs were siloed. For example, a single logging system might reveal that the user Mallory tried to access one of her manager’s files. That isolated event is not likely to trigger an alert—it could be that Mallory accidentally clicked on a wrong file. However, a centralized logging system might reveal that Mallory tried to access files belonging to many different managers across the organization from several different computers. This could indicate that Mallory might be an insider threat or that her account may have been compromised.
RkJQdWJsaXNoZXIy MTM4ODY=