Velocity - Speed of data generation

Variety - Different forms of data

Veracity - Trustworthiness

Volume - Scale of data

SIEM products and services serve two purposes

• Providing centralised security logging and reporting for an organisation
• Aiding in the detection, analysis and mitigation of security events.

Some SIEM systems can stop certain attacks

• These SIEM can be either products or services
• Directing the reconfiguration of other enterprise security controls to stop attacks.

Traditionally, SIEM systems have been used either

• For security compliance efforts or
• For incident response, detection and handling

Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

Vulnerability: Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorised access to an asset.

Risk: The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Exploit: A software program that has been developed to attack an asset by taking advantage of a vulnerability

Asset: Any data, device, or other component of the environment that supports information-related activities belonging to an organisation.

Penetration testing provides independent validation of a company's cybersecurity and presents evidence that the vulnerabilities, which previously exposed the organisation to attackers, have been successfully fixed

Black Box - Requires no knowledge of the target

Grey Box - Requires partial knowledge of the target

White Box - Requires extensive knowledge of the target

Level 1 - High-level Testing - Does not include a hands-on test

Level 2 - Network Evaluation - Information gathering, scanning and vulnerability assessment scanning

Level 3 - Penetration Testing - Taking on an adversarial role

It is important to maintain a Code of Ethics

• Do not exceed authorisation limits
• Be ethical
• Limit possible damage
• Maintain confidentiality

Confidentiality - Only authorised entities can access sensitive data

Integrity - Changed data by unauthorised entities is detected and only authorised entities can change sensitive data

Availability - Only authorised entities have continual access to data

• Build and Maintain and Secure Network - Firewall. System passwords.
• Protect Cardholder Data - Encrypt stored cardholder data.
• Monitor and Test Networks - Track/monitor accesses. Perform security tests.
• Define/Maintain Security Policy - Design and implement a policy which focuses on security.
• Strong Access Control - Restrict access to cardholder data. Assign unique ID for each user who accesses. Restrict physical access.
• Maintain Vulnerability Management Program - Anti-virus. Develop/maintain secure systems and apps.

SoX protects investors from fraudulent financial reporting with accounting and finance controls.
SOX cybersecurity compliance generally refers to a public company implementing strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports in order to enable them to make timely disclosures to the public if a breach was to occur.

• Public Company Accounting Oversight Board
• Analyst Conflicts of Interest
• Corporate Responsibility
• Corporate Tax Returns
• Auditor Independence

Implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

• Fines of up to 4% of turnover - Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million
• Increased territorial scope - Applies to any company processing personal data of EU citizens, regardless of location
• Consent matters - Explicit consent must be provided in an intelligible and easily accessible form
• Right to access and portability - Users can inquire whether and how their personal data is being processed
• Breach notification within 72 hours - Breaches must be reported within 72 hours of first having become aware of the breach
• Privacy by design - Data protection from the onset of the designing of systems, rather than a retrospective addition
• Right to be forgotten - Entitles the data subject to have the data controller erase his/her personal data (and potentially third parties, too)
• Mandatory data protection officers - Appointed in certain cases, to facilitate the company's need to demonstrate GDPR compliance

Several SIEM architectures:

1. Software installed on an onpremises server,
2. On-premises hardware appliance,
3. On-premises virtual appliance or
4. Public cloud-based service.

• Log Aggregation - Data from many sources such as networks, databases, applications, servers, etc
• Correlation - Links events together into a coherent instance (timelining)
• Dashboard - Provides an overview of events and alerts for analysis/response
• Compliance - Gathering and reporting of audit/compliance (PCIDSS, etc).
• Retention - Long-term storage of data for audit/compliance
• Forensic Analysis - Analysis of logs across infrastructure

Transferring log data from each log source

1. Agent-based: a software agent is installed on each host that generates logs, and this agent is responsible for extracting, processing and transmitting the data to the SIEM server.
2. Agentless: the log-generating host may directly transmit its logs to the SIEM or there could be an intermediate logging server involved, such as a syslog server.

System Logging Protocol facilitates the transfer of information from network devices to a central server, known as syslog server, in a particular message format. This logging protocol is a crucial part of network monitoring as it helps you track the overall health of network devices by simplifying log message management.

Syslog messages are transferred using User Datagram Protocol (UDP) on port 514. However, there’s no guarantee of message acknowledgment and delivery on the receiver/server-side due to the connectionless nature of UDP. Some network devices use TCP 1468 for confirmed message delivery to overcome this issue. Unlike the SNMP protocol, polling of network devices is avoided here to maintain system simplicity and ease of use.

This network-based logging protocol has three layers with unique capabilities:

• Syslog content: Contains the actual information present in the event message
• Syslog application: Performs message routing, generation, interpretation, and storage
• Syslog transport: Transfers the messages via the network

Syslog messages are transferred using User Datagram Protocol (UDP) on port 514. However, there’s no guarantee of message acknowledgment and delivery on the receiver/server-side due to the connectionless nature of UDP. Some network devices use TCP 1468 for confirmed message delivery to overcome this issue. Unlike the SNMP protocol, polling of network devices is avoided here to maintain system simplicity and ease of use.

This network-based logging protocol has three layers with unique capabilities:

• Emergency messages (severity value 0): System is unavailable for use.
• Alert messages (severity value 1): Immediate action required for system stability.
• Critical messages (severity value 2): Severe system issues such as loss of primary ISP connection.
• Error messages (severity value 3): System errors requiring attention in a given time frame.
• Warning messages (severity value 4): System error might occur if appropriate action is not taken.
• Notification messages (severity value 5): System is stable, but a significant condition persists. Immediate action is usually not required.
• Informational messages (severity value 6): System reporting and measuring messages.
• Debugging messages (severity value 7): Debugging apps-specific messages.