This chapter provides general information about SIEM technologies and its use to fight against cyber crime. It includes the following topics:

In cyber security, Security Information and Event Management (SIEM) is considered a series of technologies in charge of providing analysis, threat mitigation, and logging of security events across a determined network. SIEM provides a general view of all technical infrastructure, with specific data of security events, and the mitigation of those infrastructures.

SIEM includes functions, such as Security Information Management (SIM) and Security Event Management (SEM), into a single solution. To better understand SIEM, think of a solution that gathers data from security sources for analysis correlation and action upon possible threats. SIEM management offers a variety of functions in the following areas:

This solution tries to solve scenarios where people cannot analyze advanced threats using the normal monitoring tools, on a general level, by using a business technical infrastructure and by unifying all the elements, which are typically agents in a hierarchical model, to gather events from endpoints, servers, and network equipment. It provides third-party interoperability so that many solutions can be integrated, which makes this product scalable and more robust. Piggeé describes the SIEM solution as “...a group of complex technologies that together provide a bird’s-eye view into an infrastructure.” (Piggeé, 2016)

QRadar is one of the most popular SIEM solutions in the market today. It is a network management platform that provides situational awareness, event management, and data recollection into a central console. This console normalizes the data, correlates signatures, events, and flows, and analyzes traffic for any potential threat within a technical environment. QRadar uses a combination of flow-based network knowledge, event correlation, and asset-based vulnerability assessment.