You will explore industry leading security information and event management (SIEM) tools that are used by security professionals to protect business operations. You’ll learn how entry-level security analysts use SIEM dashboards as part of their every day work.
Learning Objectives
- Identify and define commonly used Security Information and Event Management (SIEM) tools.
- Describe how SIEM tools are used to protect business operations.
- Explain how entry-level security analysts use SIEM dashboards.
Security information and event management (SIEM) dashboards
Video: Welcome to module 3
This section is about security tools and how they can be used to keep organizations and the people they serve safe. Security professionals often use a variety of tools to address specific security challenges, such as collecting security data, detecting and analyzing threats, or automating tasks. Security tools help organizations achieve a more comprehensive security posture.
The section will begin by covering different types of logs, what they track, and how they’re used. Then it will explore security information and event management (SIEM) dashboards. Finally, it will discuss some common SIEM tools used in the security industry.
Welcome back! Previously, we discussed security
frameworks, controls, and design principles, and how security professionals
apply these to security audits. In this section, we’ll continue
to explore security tools and how they can help you keep organizations
and the people they serve safe. Security professionals often use
a variety of tools to address specific security challenges,
such as collecting security data, detecting and analyzing threats, or
automating tasks. Security tools help organizations achieve
a more comprehensive security posture. We’ll begin by covering
different types of logs, what they track, and how they’re used. Then we’ll explore security
information and event management, otherwise known as SIEM, dashboards. Finally, we’ll discuss some common SIEM
tools used in the security industry. Let’s get started!
Video: Logs and SIEM tools
As a security analyst, you may need to analyze log data to mitigate and manage threats, risks, and vulnerabilities. Logs are records of events that occur within an organization’s systems and networks. Some common log sources include firewall logs, network logs, and server logs.
Firewall logs record attempted or established connections for incoming traffic from the internet, as well as outbound requests to the internet from within the network. Network logs record all computers and devices that enter and leave the network, as well as connections between devices and services on the network. Server logs record events related to services such as websites, emails, or file shares, including actions such as login, password, and username requests.
By monitoring logs, security teams can identify vulnerabilities and potential data breaches. Understanding logs is important because SIEM tools rely on logs to monitor systems and detect security threats.
A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. It provides real-time visibility, event monitoring and analysis, and automated alerts. It also stores all log data in a centralized location.
SIEM tools increase efficiency and save time by indexing and minimizing the number of logs a security professional must manually review and analyze. However, SIEM tools must be configured and customized to meet each organization’s unique security needs. As new threats and vulnerabilities emerge, organizations must continually customize their SIEM tools to ensure that threats are detected and quickly addressed.
Later in the certificate program, you will have a chance to practice using different SIEM tools to identify potential security incidents. Next, you will explore SIEM dashboards and how cybersecurity professionals use them to monitor for threats, risks, and vulnerabilities.
Tutorial on Logs and SIEM Tools in Cybersecurity
Logs
Logs are records of events that occur within an organization’s systems and networks. They can be used to track a wide variety of information, such as login attempts, network traffic, system changes, and security events.
Types of logs
There are many different types of logs, but some of the most common include:
- Firewall logs: Firewall logs record all attempted or established connections to and from a network.
- Network logs: Network logs record all traffic that flows through a network, including the source and destination IP addresses, the ports used, and the protocols used.
- Server logs: Server logs record events that occur on servers, such as login attempts, file changes, and application errors.
- Security logs: Security logs record security-related events, such as virus detections, failed login attempts, and firewall alerts.
Uses of logs
Logs can be used for a variety of purposes, including:
- Auditing: Logs can be used to audit system activity and identify any unauthorized or suspicious activity.
- Troubleshooting: Logs can be used to troubleshoot problems with systems and networks.
- Security: Logs can be used to detect and investigate security incidents.
SIEM tools
Security information and event management (SIEM) tools are applications that collect and analyze log data from a variety of sources. SIEM tools can be used to:
- Monitor systems and networks for security threats
- Detect and investigate security incidents
- Generate reports on security activity
Benefits of using SIEM tools
SIEM tools can provide a number of benefits to organizations, including:
- Improved visibility into security activity
- Reduced time to detect and respond to security incidents
- Improved compliance with security regulations
How to use SIEM tools
To use a SIEM tool, you will first need to collect log data from the systems and networks that you want to monitor. Once you have collected the log data, you will need to configure the SIEM tool to parse and analyze the data.
Once the SIEM tool is configured, you can begin to monitor your systems and networks for security threats. The SIEM tool will generate alerts when it detects any suspicious activity. You can then investigate the alerts to determine if a security incident has occurred.
Conclusion
Logs and SIEM tools are essential tools for cybersecurity professionals. Logs can be used to track a wide variety of information, including security-related events. SIEM tools can be used to collect and analyze log data from a variety of sources to monitor systems and networks for security threats, detect and investigate security incidents, and generate reports on security activity.
Here are some additional tips for using logs and SIEM tools effectively:
- Collect logs from all relevant sources. This will give you the best possible visibility into your systems and networks.
- Normalize the log data. This will make it easier to analyze the data and identify suspicious activity.
- Use SIEM tools to correlate events from different sources. This will help you to identify patterns and trends that may indicate a security incident.
- Tune the SIEM tool to reduce false positives. False positives can waste time and resources.
- Regularly review the SIEM tool alerts. This will help you to identify and respond to security incidents quickly.
As a security analyst, one of your responsibilities
might include analyzing log data to mitigate and manage threats, risks, and
vulnerabilities. As a reminder, a log is
a record of events that occur within an organization’s
systems and networks. Security analysts
access a variety of logs from different sources. Three common log sources
include firewall logs, network logs, and server logs. Let’s explore each of these
log sources in more detail. A firewall log is a
record of attempted or established connections for incoming traffic
from the internet. It also includes
outbound requests to the internet from
within the network. A network log is a record of all computers and devices that enter and
leave the network. It also records
connections between devices and services
on the network. Finally, a server
log is a record of events related to services
such as websites, emails, or file shares. It includes actions
such as login, password, and username requests. By monitoring logs, like
the one shown here, security teams can identify vulnerabilities and
potential data breaches. Understanding logs is important because SIEM tools rely on logs to monitor systems and
detect security threats. A security information and
event management, or SIEM, tool is an application that collects and
analyzes log data to monitor critical activities
in an organization. It provides real-time
visibility, event monitoring and analysis,
and automated alerts. It also stores all log data
in a centralized location. Because SIEM tools index and
minimize the number of logs a security professional must manually review and analyze, they increase efficiency
and save time. But, SIEM tools must be
configured and customized to meet each organization’s
unique security needs. As new threats and
vulnerabilities emerge, organizations must
continually customize their SIEM tools to ensure that threats are detected
and quickly addressed. Later in the
certificate program, you’ll have a chance
to practice using different SIEM tools to identify potential
security incidents. Coming up, we’ll explore SIEM dashboards and
how cybersecurity professionals use
them to monitor for threats, risks, and
vulnerabilities.
Video: SIEM dashboards
SIEM dashboards are a powerful tool that can help security analysts quickly and easily access their organization’s security information as charts, graphs, or tables. This can help them to quickly identify suspicious activity and respond to security incidents.
SIEM dashboards can also be used to display metrics, which are key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application. SIEM dashboards can be customized to display specific metrics or other data that are relevant to different members in an organization.
For example, a security analyst may create a dashboard that displays metrics for monitoring everyday business operations, like the volume of incoming and outgoing network traffic.
SIEM dashboards are a valuable tool for security analysts and organizations of all sizes.
We’ve explored how
SIEM tools are used to collect and analyze log data. However, this is just one of the many ways SIEM tools
are used in cybersecurity. SIEM tools can also be used
to create dashboards. You might have
encountered dashboards in an app on your
phone or other device. They present information
about your account or location in a format
that’s easy to understand. For example, weather apps display
data like temperature, precipitation, wind speed, and the
forecast using charts, graphs, and other
visual elements. This format makes
it easy to quickly identify weather
patterns and trends, so you can stay prepared and
plan your day accordingly. Just like weather
apps help people make quick and informed
decisions based on data, SIEM dashboards help
security analysts quickly and easily access their organization’s
security information as charts, graphs, or tables. For example, a security analyst receives an alert about a
suspicious login attempt. The analyst accesses
their SIEM dashboard to gather information
about this alert. Using the dashboard, the analyst discovers
that there have been 500 login attempts
for Ymara’s account in the span
of five-minutes. They also discover that the
login attempts happened from geographic locations
outside of Ymara’s usual location and outside
of her usual working hours. By using a dashboard, the security analyst was
able to quickly review visual representations
of the timeline of the login attempts, the location, and the exact
time of the activity, then determine that the
activity was suspicious. In addition to providing a comprehensive summary
of security-related data, SIEM dashboards also provide stakeholders with
different metrics. Metrics are key
technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a
software application. SIEM dashboards can be customized to display
specific metrics or other data that are relevant to different members
in an organization. For example, a security
analyst may create a dashboard that displays metrics for monitoring everyday
business operations, like the volume of incoming
and outgoing network traffic. We’ve examined how
security analysts use SIEM dashboards to help organizations maintain
their security posture. Well done! Coming up, we’ll discuss some
common SIEM tools used in the cybersecurity
industry. Meet you there.
Tutorial on SIEM Dashboards in Cybersecurity
What is a SIEM dashboard?
A SIEM dashboard is a visual representation of security data that is collected and analyzed by a SIEM tool. SIEM dashboards can be used to monitor systems and networks for security threats, detect and investigate security incidents, and generate reports on security activity.
Benefits of using SIEM dashboards
SIEM dashboards provide a number of benefits, including:
- Improved visibility into security activity: SIEM dashboards provide a single view of all security-related activity across an organization’s systems and networks. This can help security analysts to quickly identify suspicious activity and respond to security incidents.
- Reduced time to detect and respond to security incidents: SIEM dashboards can help security analysts to quickly detect and respond to security incidents by providing real-time alerts and insights into security activity.
- Improved compliance with security regulations: SIEM dashboards can help organizations to comply with security regulations by providing evidence of security monitoring and incident response.
How to create a SIEM dashboard
To create a SIEM dashboard, you will first need to identify the security data that you want to display on the dashboard. Once you have identified the data, you will need to configure the SIEM tool to generate the dashboard.
Most SIEM tools provide a variety of pre-built dashboards that you can use. However, you can also create custom dashboards to meet your specific needs.
When creating a SIEM dashboard, it is important to consider the following:
- Audience: Who will be using the dashboard? What information do they need to see?
- Purpose: What is the purpose of the dashboard? Is it to monitor for security threats, detect and investigate security incidents, or generate reports on security activity?
- Layout: How should the information on the dashboard be organized?
- Visualization: What types of visualizations should be used to display the data?
Examples of SIEM dashboards
Here are some examples of SIEM dashboards:
- Security posture dashboard: This dashboard provides a high-level overview of the organization’s security posture. It may include metrics such as the number of security events detected, the number of open security incidents, and the number of security vulnerabilities.
- Threat detection dashboard: This dashboard monitors for security threats in real time. It may include alerts for suspicious login attempts, network intrusions, and malware infections.
- Incident response dashboard: This dashboard provides information about open security incidents. It may include details about the incident, the affected systems, and the actions that have been taken to respond to the incident.
Conclusion
SIEM dashboards are a valuable tool for security analysts and organizations of all sizes. SIEM dashboards can help security analysts to quickly identify suspicious activity, detect and investigate security incidents, and generate reports on security activity.
Here are some additional tips for creating effective SIEM dashboards:
- Use clear and concise labels. The labels on your dashboard should be clear and concise so that users can easily understand what the data represents.
- Use appropriate visualizations. The type of visualization you use should be appropriate for the data you are displaying. For example, line charts are good for displaying trends over time, while bar charts are good for displaying comparisons between different categories.
- Use color sparingly. Too much color on a dashboard can be overwhelming and make it difficult to read the data. Use color to highlight important information or to draw attention to areas of concern.
- Keep your dashboard up to date. SIEM dashboards should be updated regularly to reflect the latest security data.
By following these tips, you can create SIEM dashboards that will help you to improve your organization’s security posture.
Reading: The future of SIEM tools
Reading
Previously, you were introduced to security information and event management (SIEM) tools, along with a few examples of SIEM tools. In this reading, you will learn more about how SIEM tools are used to protect organizational operations. You will also gain insight into how and why SIEM tools are changing to help protect organizations and the people they serve from evolving threat actor tactics and techniques.
Current SIEM solutions
A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools offer real-time monitoring and tracking of security event logs. The data is then used to conduct a thorough analysis of any potential security threat, risk, or vulnerability identified. SIEM tools have many dashboard options. Each dashboard option helps cybersecurity team members manage and monitor organizational data. However, currently, SIEM tools require human interaction for analysis of security events.
The future of SIEM tools
As cybersecurity continues to evolve, the need for cloud functionality has increased. SIEM tools have and continue to evolve to function in cloud-hosted and cloud-native environments. Cloud-hosted SIEM tools are operated by vendors who are responsible for maintaining and managing the infrastructure required to use the tools. Cloud-hosted tools are simply accessed through the internet and are an ideal solution for organizations that don’t want to invest in creating and maintaining their own infrastructure.
Similar to cloud-hosted SIEM tools, cloud-native SIEM tools are also fully maintained and managed by vendors and accessed through the internet. However, cloud-native tools are designed to take full advantage of cloud computing capabilities, such as availability, flexibility, and scalability.
Yet, the evolution of SIEM tools is expected to continue in order to accommodate the changing nature of technology, as well as new threat actor tactics and techniques. For example, consider the current development of interconnected devices with access to the internet, known as the Internet of Things (IoT). The more interconnected devices there are, the larger the cybersecurity attack surface and the amount of data that threat actors can exploit. The diversity of attacks and data that require special attention is expected to grow significantly. Additionally, as artificial intelligence (AI) and machine learning (ML) technology continues to progress, SIEM capabilities will be enhanced to better identify threat-related terminology, dashboard visualization, and data storage functionality.
The implementation of automation will also help security teams respond faster to possible incidents, performing many actions without waiting for a human response. Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to respond to security events. Essentially, this means that handling common security-related incidents with the use of SIEM tools is expected to become a more streamlined process requiring less manual intervention. This frees up security analysts to handle more complex and uncommon incidents that, consequently, can’t be automated with a SOAR. Nevertheless, the expectation is for cybersecurity-related platforms to communicate and interact with one another. Although the technology allowing interconnected systems and devices to communicate with each other exists, it is still a work in progress.
Key takeaways
SIEM tools play a major role in monitoring an organization’s data. As an entry-level security analyst, you might monitor SIEM dashboards as part of your daily tasks. Regularly researching new developments in SIEM technology will help you grow and adapt to the changes in the cybersecurity field. Cloud computing, SIEM-application integration, and automation are only some of the advancements security professionals can expect in the future evolution of SIEM tools.
Video: Parisa: The parallels of accessibility and security
Parisa Tabriz, a VP of Engineering at Google and the lead of the Chrome Team, believes that accessibility is important to all aspects of technology, including cybersecurity. She defines accessibility as making information, activities, or even environments meaningful, sensible, and usable to as many people as possible. When applied to technology, accessibility usually means making information or services available to people with disabilities.
Parisa stresses that decisions we make based on our own abilities to enhance security can actually be ineffective. For example, using the color red to indicate a warning would be ineffective for someone who is colorblind. Therefore, it is important to consider accessibility when designing security measures.
Parisa also sees parallels between the fields of security and accessibility. She believes that innovation is driven when trying to solve specific problems in either field. For example, closed captioning was originally designed to help people with hearing impairments, but it ends up helping everyone.
Parisa’s advice for people new to the field of cybersecurity is to remember that there is a range of abilities that they are wanting to serve. It is important to get user research and feedback from a range of abilities in terms of testing the effectiveness of security mitigations.
Finally, Parisa shares her personal story of overcoming challenges in the tech industry. She encourages others to find mentors, ask questions, and persevere through hard moments. She also reminds people to be proud of their unique skills and perspectives.
[MUSIC] My name is Parisa and I’m a vice president
of engineering and lead the Chrome Team. So as General manager of the Chrome Team,
I lead a team of engineers and product managers and
designers around the world who actually build Chrome and
keep all of our users safe. I think accessibility is important
to all aspects of technology, and when we think about its relevance for cybersecurity, you know, we ultimately
want to keep everybody safe. I think of accessibility as making
information, activities, or even environments meaningful, sensible,
usable to as many people as possible. And when we’re talking about this in
a technology standpoint, it’s usually about making information or services
available to people with disabilities. Decisions we make based on our own
abilities to enhance security can actually be ineffective. For example, you’ll sometimes
see the color red used for indication of a warning. Well, for somebody who’s colorblind, like
that is going to be ineffective. And so really thinking about accessibility
when we’re trying to keep people safe is super important for them to be effective. I’ve worked in the space of security for
a really long time. And I do see some parallels
between the spaces. I’ve really been able to see innovation
driven when you’re trying to solve a very specific security problem or
a specific accessibility problem. Closed Captioning was originally
designed and built to help people with hearing impairments, but
it ends up helping everybody. For people who are new to the field of
cybersecurity, it’s just really important to remember that there’s a range of
abilities that you are wanting to serve. It’s so important to get user research and
feedback and a range of abilities in terms of testing the effectiveness
of your security mitigations. I know it was scary for me early on. I didn’t look like everybody else. I really struggled with
whether I belonged. Finding people who could be mentors,
having the courage to ask questions and recognize that you’re rarely
the only person with that question. And just sort of persevering through,
sometimes hard moments can lead to breakthroughs and
also just growing confidence. And one of the things I’ve
learned is me having a different background than other people in
this space was my own superpower. Instead of focusing on the delta between
what I was and what the norm was in the room, I should feel a lot of
pride in what made me unique and what unique skills and
perspective I brought to the table.
Practice Quiz: Test your knowledge: Security information and event management (SIEM) dashboards
Which log source records events related to websites, emails, and file shares, as well as password and username requests?
Server
Server logs record events related to websites, emails, and file shares. They include actions such as login requests, password and username requests, as well as the ongoing use of these services.
Fill in the blank: A security information and _ management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization.
event
A security information and event management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools index and minimize the scope of logs a security professional should manually review and analyze.
A security professional evaluates a software application by reviewing key technical attributes including response time, availability, and failure rate. What are they using to assess performance?
Metrics
They are using metrics. Metrics are key technical attributes including response time, availability, and failure rate, which are used to assess the performance of a software application. SIEM dashboards can be customized to display relevant metrics.
Fill in the blank: SIEM tools must be configured and _ to meet each organization’s unique security needs.
customized
SIEM tools must be configured and customized to meet each organization’s unique security needs.
Explore security information and event management (SIEM) tools
Video: Explore common SIEM tools
SIEM tools can be categorized into three types: self-hosted, cloud-hosted, and hybrid.
- Self-hosted SIEM tools require organizations to install, operate, and maintain the tool using their own physical infrastructure. These tools are ideal for organizations that need to maintain physical control over confidential data.
- Cloud-hosted SIEM tools are maintained and managed by the SIEM providers, making them accessible through the internet. These tools are ideal for organizations that don’t want to invest in creating and maintaining their own infrastructure.
- Hybrid SIEM solutions combine the benefits of both self-hosted and cloud-hosted SIEM tools. Organizations might choose a hybrid SIEM solution to leverage the benefits of the cloud while also maintaining physical control over confidential data.
Some common SIEM tools include Splunk Enterprise, Splunk Cloud, and Chronicle.
- Splunk Enterprise is a self-hosted tool used to retain, analyze, and search an organization’s log data to provide security information and alerts in real-time.
- Splunk Cloud is a cloud-hosted tool used to collect, search, and monitor log data.
- Chronicle is a cloud-native tool designed to retain, analyze, and search data. It provides log monitoring, data analysis, and data collection.
SIEM tools are an important part of an organization’s security arsenal. They can help security analysts monitor systems and detect security threats.
To explore common SIEM tools, you can:
- Visit the websites of SIEM vendors. This is a good way to learn about the features and capabilities of each tool, as well as their pricing and deployment options.
- Read reviews of SIEM tools. This can be helpful for getting an unbiased opinion of each tool from other users.
- Attend webinars and conferences where SIEM tools are discussed. This is a great way to learn more about SIEM tools from experts and ask questions.
- Try out SIEM tools in a sandbox environment. Many vendors offer sandbox environments where you can try out their SIEM tools before you buy them.
Here are some of the most common SIEM tools:
- Splunk Enterprise is a self-hosted SIEM tool that is known for its scalability and performance. It is a popular choice for large enterprises with complex security needs.
- Splunk Cloud is a cloud-hosted SIEM tool that is easy to deploy and manage. It is a good choice for organizations that do not want to invest in their own infrastructure.
- Chronicle is a cloud-native SIEM tool that is designed to take advantage of the scalability and flexibility of cloud computing. It is a good choice for organizations that are running hybrid or cloud-only environments.
- SolarWinds Security Event Manager is a self-hosted SIEM tool that is known for its affordability and ease of use. It is a good choice for small and medium-sized businesses.
- LogRhythm Security Intelligence Platform is a self-hosted SIEM tool that is known for its comprehensive security features and analytics capabilities. It is a good choice for large enterprises with complex security needs.
Once you have explored a few different SIEM tools, you can start to narrow down your choices based on your specific needs and budget. Be sure to consider the following factors when choosing a SIEM tool:
- Deployment options: Do you want a self-hosted, cloud-hosted, or hybrid SIEM tool?
- Scalability: How much data do you need to process? How many users will be using the SIEM tool?
- Features: What features are important to you? For example, do you need a SIEM tool with threat intelligence capabilities, or one that can integrate with other security tools?
- Pricing: How much are you willing to spend on a SIEM tool?
Once you have chosen a SIEM tool, you can start to deploy and implement it. Be sure to follow the vendor’s instructions carefully to ensure a successful deployment.
Here are some additional tips for exploring common SIEM tools:
- Start by identifying your specific needs. What are the biggest security threats facing your organization? What kind of data do you need to collect and analyze?
- Do your research. Read reviews, compare features, and get quotes from different vendors.
- Try out different SIEM tools in a sandbox environment. This will give you a chance to see how each tool works and decide which one is right for you.
- Consider your budget. SIEM tools can be expensive, so make sure to factor in the cost of the tool, as well as the cost of deployment and maintenance.
- Get help from a consultant. If you are not sure which SIEM tool is right for you, or if you need help deploying and implementing the tool, consider working with a consultant.
Hello again! Previously, we discussed how SIEM tools
help security analysts monitor systems and detect security threats. In this video, we’ll cover some
industry leading SIEM tools that you’ll likely encounter as a security analyst. First, let’s discuss the different
types of SIEM tools that organizations can choose from, based
on their unique security needs. Self-hosted SIEM tools require
organizations to install, operate, and maintain the tool using their own physical
infrastructure, such as server capacity. These applications are then managed and
maintained by the organization’s IT department,
rather than a third party vendor. Self-hosted SIEM tools are ideal
when an organization is required to maintain physical
control over confidential data. Alternatively, cloud-hosted
SIEM tools are maintained and managed by the SIEM providers, making
them accessible through the internet. Cloud-hosted SIEM tools are ideal for
organizations that don’t want to invest in creating and
maintaining their own infrastructure. Or, an organization can choose to use
a combination of both self-hosted and cloud-hosted SIEM tools,
known as a hybrid solution. Organizations might choose a hybrid SIEM
solution to leverage the benefits of the cloud while also maintaining
physical control over confidential data. Splunk Enterprise, Splunk Cloud,
and Chronicle are common SIEM tools that many organizations use
to help protect their data and systems. Let’s begin by discussing Splunk. Splunk is a data analysis platform and
Splunk Enterprise provides SIEM solutions. Splunk Enterprise is a self-hosted tool
used to retain, analyze, and search an organization’s log data to provide security
information and alerts in real-time. Splunk Cloud is a cloud-hosted tool used
to collect, search, and monitor log data. Splunk Cloud is helpful for organizations
running hybrid or cloud-only environments, where some or all of the organization’s
services are in the cloud. Finally, there’s Google’s Chronicle. Chronicle is a cloud-native tool designed
to retain, analyze, and search data. Chronicle provides log monitoring,
data analysis, and data collection. Like cloud-hosted tools, cloud-native tools are also fully
maintained and managed by the vendor. But cloud-native tools
are specifically designed to take full advantage of cloud computing
capabilities such as availability, flexibility, and scalability. Because threat actors are frequently
improving their strategies to compromise the confidentiality,
integrity, and availability of their targets,
it’s important for organizations to use a variety of security
tools to help defend against attacks. The SIEM tools we just discussed are only
a few examples of the tools available for security teams to use to help
defend their organizations. And later in the certificate program, you’ll have the exciting opportunity to
practice using Splunk Cloud and Chronicle.
Reading: More about cybersecurity tools
Reading
Previously, you learned about several tools that are used by cybersecurity team members to monitor for and identify potential security threats, risks, and vulnerabilities. In this reading, you’ll learn more about common open-source and proprietary cybersecurity tools that you may use as a cybersecurity professional.
Open-source tools
Open-source tools are often free to use and can be user friendly. The objective of open-source tools is to provide users with software that is built by the public in a collaborative way, which can result in the software being more secure. Additionally, open-source tools allow for more customization by users, resulting in a variety of new services built from the same open-source software package.
Software engineers create open-source projects to improve software and make it available for anyone to use, as long as the specified license is respected. The source code for open-source projects is readily available to users, as well as the training material that accompanies them. Having these sources readily available allows users to modify and improve project materials.
Proprietary tools
Proprietary tools are developed and owned by a person or company, and users typically pay a fee for usage and training. The owners of proprietary tools are the only ones who can access and modify the source code. This means that users generally need to wait for updates to be made to the software, and at times they might need to pay a fee for those updates. Proprietary software generally allows users to modify a limited number of features to meet individual and organizational needs. Examples of proprietary tools include Splunk® and Chronicle SIEM tools.
Common misconceptions
There is a common misconception that open-source tools are less effective and not as safe to use as proprietary tools. However, developers have been creating open-source materials for years that have become industry standards. Although it is true that threat actors have attempted to manipulate open-source tools, because these tools are open source it is actually harder for people with malicious intent to successfully cause harm. The wide exposure and immediate access to the source code by well-intentioned and informed users and professionals makes it less likely for issues to occur, because they can fix issues as soon as they’re identified.
Examples of open-source tools
In security, there are many tools in use that are open-source and commonly available. Two examples are Linux and Suricata.
Linux
Linux is an open-source operating system that is widely used. It allows you to tailor the operating system to your needs using a command-line interface. An operating system is the interface between computer hardware and the user. It’s used to communicate with the hardware of a computer and manage software applications.
There are multiple versions of Linux that exist to accomplish specific tasks. Linux and its command-line interface will be discussed in detail, later in the certificate program.
Suricata
Suricata is an open-source network analysis and threat detection software. Network analysis and threat detection software is used to inspect network traffic to identify suspicious behavior and generate network data logs. The detection software finds activity across users, computers, or Internet Protocol (IP) addresses to help uncover potential threats, risks, or vulnerabilities.
Suricata was developed by the Open Information Security Foundation (OISF). OISF is dedicated to maintaining open-source use of the Suricata project to ensure it’s free and publicly available. Suricata is widely used in the public and private sector, and it integrates with many SIEM tools and other security tools. Suricata will also be discussed in greater detail later in the program.
Key takeaways
Open-source tools are widely used in the cybersecurity profession. Throughout the certificate program, you will have multiple opportunities to learn about and explore both open-source and proprietary tools in more depth.
Video: Talya: Myths about the cybersecurity field
Cybersecurity is a field that is often misunderstood. There are many myths about what it takes to be successful in this field.
One myth is that you must know how to code, hack, or be a math wiz to be successful in cybersecurity. This is not true. There are many different roles in cybersecurity, and not all of them require these skills. For example, there are roles in cybersecurity that focus on building relationships, learning quickly on the job, doing research, and asking questions.
Another myth is that you need a cybersecurity degree to be successful in this field. This is also not true. There are many people in cybersecurity who do not have a cybersecurity degree. In fact, many people come to cybersecurity from other fields, such as business, law, and even the arts.
Finally, some people believe that cybersecurity is a field where you work in isolation. This is not true. Cybersecurity is a team sport, and many people in this field collaborate with others on a daily basis.
If you are interested in a career in cybersecurity, the best advice is to be open to creating your own path. There is no one-size-fits-all approach to this field. Talk to people who are working in cybersecurity and learn about their journeys. And don’t be afraid to ask for support. There are many people who are willing to help new people enter the cybersecurity field.
I’m Talia, and I’m an
engineer within privacy, safety and security at Google. So there are a lot of myths in
the cybersecurity space. One big one is, you must know how to code, or you must know how to hack, or you must be a math wiz. I don’t know how to code, although I have learned how
to read code over time. I’m not a hacker. I’m not on the red
team site of security, I’m more on like the blue team. I’m not a math wiz. I definitely took
the business route, but I’m not a mathematician. That wasn’t really the path. A lot of my strength really lies in my ability to
build relationships, learn quickly on the job, doing, conducting research, asking
all the right questions. I think those have been
my strongest strength. Another big myth, is that, you are required to have
a cybersecurity degree. I actually went to
school for business, an advanced degree
is not required. Even though I did
later on go back, That was my preference. You do not need to
pursue that in order for you to be considered a great
candidate for cybersecurity. Another big one is you work in isolation within
cybersecurity. It really depends on the
path that you choose. But I found that to
be one of the most that couldn’t be further
from the truth. My biggest advice for anyone who’s interested in
cybersecurity is, be okay with creating
your own path. The path looks
different for everyone. If you were to talk to
five different people, their journeys are
all different. So own your journey, and identify people
who can support you. Let them know that you’re
sitting for the certificate, and see what support
that you can get as you start your journey.
Reading: Use SIEM tools to protect organizations
Reading
Previously, you were introduced to security information and event management (SIEM) tools and a few SIEM dashboards. You also learned about different threats, risks, and vulnerabilities an organization may experience. In this reading, you will learn more about SIEM dashboard data and how cybersecurity professionals use that data to identify a potential threat, risk, or vulnerability.
Splunk
Splunk offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both allow you to review an organization’s data on dashboards. This helps security professionals manage an organization’s internal infrastructure by collecting, searching, monitoring, and analyzing log data from multiple sources to obtain full visibility into an organization’s everyday operations.
Review the following Splunk dashboards and their purposes:
Security posture dashboard
The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.
Executive summary dashboard
The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.
Incident review dashboard
The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.
Risk analysis dashboard
The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.
Chronicle
Chronicle is a cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and analyze log data according to:
- A specific asset
- A domain name
- A user
- An IP address
Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters and alerts, and track suspicious domain names.
Review the following Chronicle dashboards and their purposes:
Enterprise insights dashboard
The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.
Data ingestion and health dashboard
The data ingestion and health dashboard shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.
IOC matches dashboard
The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.
Main dashboard
The main dashboard displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.
Rule detections dashboard
The rule detections dashboard provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization’s level of risk.
User sign in overview dashboard
The user sign in overview dashboard provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.
Key takeaways
SIEM tools provide dashboards that help security professionals organize and focus their security efforts. This is important because it allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner. Later in the program, you’ll have an opportunity to practice using various SIEM tool features and commands for search queries.
Practice Quiz: Test your knowledge: Identify threats and vulnerabilities with SIEM tools
A security team wants some of its services to be hosted on the internet instead of local devices. However, they also need to maintain physical control over certain confidential data. What type of SIEM solution should they select?
Hybrid
They should select a hybrid solution. Hybrid solutions use a combination of both self- and cloud-hosted SIEM tools to leverage the benefits of the cloud while maintaining physical control over confidential data.
Security information and event management (SIEM) tools provide dashboards that help cybersecurity professionals organize and focus their security efforts.
True
SIEM tools provide dashboards that help cybersecurity professionals organize and focus their security efforts. This allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner.
Fill in the blank: A _ SIEM tool is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.
cloud-native
A cloud-native SIEM tool, such as Chronicle, is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.
What are the different types of SIEM tools? Select three answers.
Self-hosted, Cloud-hosted, Hybrid
Review: Introduction to cybersecurity tools
Video: Wrap-up
In this section of the course, we covered the following topics:
- The importance of logs and cybersecurity: Logs are essential for cybersecurity because they provide a record of all activity on a system or network. This information can be used to detect and investigate security incidents, as well as to troubleshoot problems.
- Different log types: There are many different types of logs, such as firewall logs, network logs, and server logs. Each type of log contains different information, but they all provide valuable insights into the security posture of an organization.
- SIEM dashboards: SIEM dashboards use visual representations to provide security teams with quick and clear insights into the security posture of an organization. SIEM dashboards can be used to track key metrics such as the number of security alerts, the types of threats detected, and the time it takes to respond to incidents.
- Common SIEM tools: There are many different SIEM tools available, such as Splunk and Chronicle. SIEM tools can be used to collect, store, analyze, and visualize log data.
In the next section of the course, we will discuss playbooks and how they help security professionals respond appropriately to identify threats, risks, and vulnerabilities.
Let’s quickly review what we covered
in this section of the course. We started by discussing the importance
of logs and cybersecurity, and we explored different log types,
like firewall, network, and server logs. Next, we explored SIEM dashboards and how they use visual representations to
provide security teams with quick and clear insights into the security
posture of an organization. Finally, we introduced common SIEM
tools used in the cybersecurity industry, including Splunk and Chronicle. We’ll be exploring even more security
tools later in the program, and you’ll have opportunities
to practice using them. Coming up, we’ll discuss playbooks and
how they help security professionals respond appropriately to identify threats,
risks, and vulnerabilities. Meet you there.
Reading: Glossary terms from module 3
Reading
Terms and definitions from Course 2, Module 3
Chronicle: A cloud-native tool designed to retain, analyze, and search data
Incident response: An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
Log: A record of events that occur within an organization’s systems
Metrics: Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application
Operating system (OS): The interface between computer hardware and the user
Playbook: A manual that provides details about any operational action
Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization
Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that use automation to respond to security events
Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data
Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization’s log data to provide security information and alerts in real-time
Quiz: Module 3 challenge
Which of the following statements correctly describe logs? Select three answers.
- SIEM tools rely on logs to monitor systems and detect security threats.
- A record of events related to employee logins and username requests is part of a server log.
- A record of connections between devices and services on a network is part of a network log.
AI assistant
You should select the following three statements:
- SIEM tools rely on logs to monitor systems and detect security threats.
- A record of events related to employee logins and username requests is part of a server log.
- A record of connections between devices and services on a network is part of a network log.
Logs are records of events that occur on a computer system or network. They can be used to track system activity, troubleshoot problems, and detect security threats.
SIEM tools are security information and event management systems that use logs to monitor systems and detect security threats. SIEM tools collect and analyze logs from a variety of sources, such as servers, networks, and security devices.
Server logs contain records of events that occur on a server, such as logins, file accesses, and errors. Network logs contain records of network traffic, such as connections between devices and services.
User logins and username requests are typically recorded in a server log. Connections between devices and services on a network are typically recorded in a network log.
The last statement, “Actions such as username requests are recorded in a network log”, is incorrect. Username requests are typically recorded in a server log.
What are some of the key benefits of SIEM tools? Select three answers.
- Increase efficiency
- Minimize the number of logs to be manually reviewed
- Deliver automated alerts
AI assistant
The three key benefits of SIEM tools that you selected are:
- Deliver automated alerts
- Increase efficiency
- Minimize the number of logs to be manually reviewed
These are all important benefits, as they can help organizations to save time and resources, while also improving their security posture.
Automated alerts can help organizations to quickly identify and respond to security threats. SIEM tools can be configured to generate alerts based on a variety of factors, such as suspicious activity, known malware signatures, and compliance requirements. This can help organizations to reduce the time it takes to detect and respond to security incidents, which can help to minimize the damage caused by these incidents.
Increased efficiency can be achieved by using a SIEM tool to centralize log collection and analysis. This can save organizations a significant amount of time and effort, as they will no longer need to manually collect and analyze logs from multiple sources. SIEM tools can also automate many tasks associated with incident response, such as log searching and correlation.
Minimizing the number of logs to be manually reviewed can be achieved by using a SIEM tool to filter and prioritize logs. SIEM tools can be configured to only display logs that are relevant to the organization’s security needs. This can help organizations to reduce the amount of time that security analysts need to spend manually reviewing logs, and it can also help to ensure that analysts are focused on the most important logs.
In addition to these three benefits, SIEM tools can also help organizations to:
- Improve their visibility into their security posture
- Detect and respond to security threats more quickly
- Improve compliance with security regulations
- Reduce the risk of data breaches
Overall, SIEM tools are valuable tools that can help organizations to improve their security posture and reduce the risk of cyberattacks.
Fill in the blank: To assess the performance of a software application, security professionals use _, including response time, availability, and failure rate.
metrics
AI assistant
The answer is metrics.
Security professionals use metrics to assess the performance of a software application, including response time, availability, and failure rate.
Metrics are quantitative measurements of a system or process. They can be used to track changes in performance over time, identify trends, and troubleshoot problems.
Some common metrics that security professionals use to assess application performance include:
- Response time: The amount of time it takes for an application to respond to a request.
- Availability: The percentage of time that an application is up and running.
- Failure rate: The percentage of time that an application fails to respond to a request.
In addition to these basic metrics, security professionals may also track other metrics that are specific to the application or organization. For example, security professionals may track the number of failed login attempts, the number of malware infections, or the number of security alerts that are generated.
Security professionals can use a variety of tools to collect and analyze metrics. Common tools include:
- Logs: Logs contain detailed information about the activity of an application or system. Security professionals can use logs to track metrics such as response time, availability, and failure rate.
- Dashboards: Dashboards provide a visual representation of metrics. Security professionals can use dashboards to quickly identify trends and problems.
- SIEM tools: SIEM (Security Information and Event Management) tools collect and analyze logs from multiple sources. SIEM tools can be used to generate alerts, track metrics, and investigate security incidents.
By tracking and analyzing metrics, security professionals can identify and address potential performance problems before they impact users or cause a security breach.
A security team chooses to implement a SIEM tool that will be managed and maintained by the organization’s IT department, rather than a third-party vendor. What type of tool are they using?
Self-hosted
AI assistant
The type of SIEM tool that a security team chooses to implement and manage internally is called a self-hosted SIEM tool.
Self-hosted SIEM tools are deployed on-premises, meaning that the organization is responsible for all aspects of the tool’s implementation, maintenance, and security. This includes things like hardware procurement, software installation, and security updates.
Self-hosted SIEM tools offer a number of advantages, including:
- Control: Organizations have complete control over the tool and its data.
- Customization: Organizations can customize the tool to meet their specific needs.
- Cost: Self-hosted SIEM tools can be more cost-effective than cloud-hosted SIEM tools, especially for organizations with large volumes of data.
However, self-hosted SIEM tools also come with some disadvantages, including:
- Complexity: Self-hosted SIEM tools can be complex to implement and manage.
- Cost: The upfront cost of implementing a self-hosted SIEM tool can be high.
- Security: Organizations are responsible for the security of the tool and its data.
Overall, self-hosted SIEM tools are a good option for organizations that want to have complete control over their SIEM tool and its data. However, organizations need to carefully consider the complexity and cost of implementing and managing a self-hosted SIEM tool before making a decision.
You are a security analyst, and you want a security solution that will be fully maintained and managed by your SIEM tool provider. What type of tool do you choose?
Cloud-hosted
AI assistant
If you are a security analyst and you want a security solution that will be fully maintained and managed by your SIEM tool provider, you should choose a cloud-hosted SIEM tool.
Cloud-hosted SIEM tools are hosted in the cloud, meaning that the SIEM tool provider is responsible for all aspects of the tool’s implementation, maintenance, and security. This includes things like hardware procurement, software installation, and security updates.
Cloud-hosted SIEM tools offer a number of advantages, including:
- Ease of use: Cloud-hosted SIEM tools are typically easier to deploy and manage than self-hosted SIEM tools.
- Scalability: Cloud-hosted SIEM tools can be easily scaled up or down to meet the needs of the organization.
- Security: Cloud-hosted SIEM tool providers typically have a high level of expertise in security and compliance.
However, cloud-hosted SIEM tools also come with some disadvantages, including:
- Cost: Cloud-hosted SIEM tools can be more expensive than self-hosted SIEM tools, especially for organizations with large volumes of data.
- Control: Organizations have less control over cloud-hosted SIEM tools than self-hosted SIEM tools.
Overall, cloud-hosted SIEM tools are a good option for organizations that want a security solution that is easy to use, scalable, and secure. Cloud-hosted SIEM tools are also a good option for organizations that want their SIEM tool provider to fully maintain and manage the tool.
If you are unsure whether a cloud-hosted SIEM tool is right for your organization, you should consult with a security expert.
Fill in the blank: SIEM tools retain, analyze, and search an organization’s _ to provide security information and alerts.
log data
AI assistant
The answer is log data.
SIEM tools retain, analyze, and search an organization’s log data to provide security information and alerts. Log data is a record of all activity on a computer system or network. It can include information such as:
- Login and logout events
- File access events
- Network traffic events
- System errors
- Security events
SIEM tools collect log data from a variety of sources, such as servers, firewalls, routers, and intrusion detection systems. They then analyze the log data for patterns and anomalies that may indicate a security threat. If a potential threat is detected, the SIEM tool can generate an alert to notify the security team.
SIEM tools can also be used to generate reports on security activity and compliance. This information can be used by security teams to identify trends, improve their security posture, and demonstrate compliance with security regulations.
Here are some examples of how SIEM tools can be used to improve security:
- Detect unauthorized access: SIEM tools can be used to detect unauthorized access to systems and data. For example, a SIEM tool might generate an alert if there is a sudden increase in failed login attempts.
- Identify malware infections: SIEM tools can be used to identify malware infections. For example, a SIEM tool might generate an alert if there is a sudden increase in network traffic to known malware servers.
- Investigate security incidents: SIEM tools can be used to investigate security incidents. For example, a SIEM tool can be used to track the movement of an attacker through a network.
Overall, SIEM tools are valuable tools that can help organizations to improve their security posture and reduce the risk of cyberattacks.
A security analyst receives an alert about hundreds of login attempts from unusual geographic locations within the last few minutes. What can the analyst use to review a timeline of the login attempts, locations, and time of activity?
A SIEM tool dashboard
AI assistant
To review a timeline of the login attempts, locations, and time of activity, the security analyst can use a SIEM tool dashboard.
SIEM tool dashboards provide a visual representation of security data. This data can be filtered and sorted to provide insights into specific security events. For example, the security analyst could create a dashboard that shows all login attempts from unusual geographic locations within the last few minutes. This would allow the analyst to quickly identify the scope of the attack and determine the next steps to take.
Here are some additional steps that the security analyst can take:
- Investigate the login attempts: The security analyst can use the SIEM tool to investigate the login attempts in more detail. This may involve looking at the source IP addresses, the usernames that were used, and the time and date of the attempts.
- Identify the affected systems: The security analyst can use the SIEM tool to identify the systems that were affected by the login attempts. This information can be used to prioritize the analyst’s response and to take steps to protect the affected systems.
- Notify the appropriate stakeholders: The security analyst should notify the appropriate stakeholders of the attack, such as the IT team, the security team, and the business owners. This will allow everyone to be aware of the situation and to take steps to mitigate the risk.
By following these steps, the security analyst can quickly identify and respond to the attack, and minimize the risk of damage.
Fill in the blank: _ tools are often free to use.
Open-source
AI assistant
Open-source tools are often free to use.
Open-source software is software that is distributed with its source code, which means that anyone can inspect, modify, and enhance the software. Open-source software is often developed and maintained by a community of volunteers, which is one reason why it is often free to use.
There are many benefits to using open-source tools, including:
- Cost: Open-source tools are often free to use, which can save organizations money on software costs.
- Security: Open-source tools are typically more secure than commercial software, as the source code is available for anyone to review.
- Flexibility: Open-source tools can be customized to meet the specific needs of an organization.
- Support: Open-source tools typically have a large community of users and developers who can provide support.
Some examples of free and open-source SIEM tools include:
- ELK Stack
- Wazuh
- OSSEC
- SIEMonster
- Apache Metron
Organizations should carefully consider their needs when choosing a SIEM tool, whether open-source or commercial. Open-source SIEM tools can be a good option for organizations that are on a budget or that need a highly customizable solution. However, organizations should be aware that open-source SIEM tools may require more expertise to implement and manage than commercial SIEM tools.
Overall, open-source tools can be a great way to save money on software costs and to get access to high-quality software. However, organizations should carefully consider their needs before choosing an open-source tool.