Organizations deploy different software solutions in IT infrastructure to monitor network processes, analyze data, detect anomalies, and report abnormal behavior in the form of security alerts. The process is collectively known as Security Information and Event Management (SIEM). SIEM generally works in four steps: The SIEM tools collect data from the respective IT infrastructure (endpoint communication devices, servers, computing machines, network controllers, etc.); The collected data is normalized and aggregated in order to improve the integrity and prepare the dataset for further processing; The normalized and aggregated data is analyzed to discover and detect the anomalies (threats); Any abnormal behavior (potential breach) is identified and reported to the security experts (incident response team). The SIEM analysis is usually performed on the basis of a pre-defined set of rules and security policies. Any deviation from the defined protocols is reported to the concerned department to further investigate and take appropriate actions.
SIEM Main Features
There a number of vendors offering SIEM solutions having multiple threat detection, investigation, and reporting features. Therefore, determining the right vendor solution with mandatory SIEM features is critical. Following is a brief overview of some of the important security information and event management features that every organization should consider before investing in any SIEM vendor solution.
1) Real-time Data Collection
Real-time data collection is the first must-have SIEM attribute that should be considered by the client organizations. An organization may comprise multiple data resources, such as Cloud, network devices, and systems logs. The SIEM tools must be capable of ingesting data from all the available resources in real-time in order to detect and report any abnormal activity promptly.
2) Data Collection Architecture
Data collection architecture is another important aspect to consider while choosing SIEM solution. There are two main types of SIEM solutions offering services to clients. Some SIEM vendors are using the legacy technology to store (collect) the data. Propriety technology is not suitable for organizations that deal with big data. Selecting the SIEM solution for big data must align with the big data attributes, such as volume, velocity, variety, and veracity.
3) Logs Interpretation
An IT infrastructure can have multiple network entities with variable logs. Some devices may produce detailed log information while others generate logs that need to be deciphered. The SIEM service should be capable of interpreting the raw logs in a meaningful way so that security analysts can have a clear insight into network activities.
4) Alerts Prioritization
The SIEM setup generates a number of alerts according to the implemented security policies, rules, and trigger points. These alerts can be of the low, medium, and high priority depending on the nature of threat detected by the SIEM tools. The SIEM solution should be capable of segmenting these alerts on the basis of defined priorities so that the response team should be able to quickly identify and respond to the severe alerts on a priority basis.
5) Extra Dashboard Features
The SIEM solution must have a dashboard that should offer options and functional capabilities for technical as well as non-technical personnel of the organizations. For instance, apart from gathering security information for analysts, the SIEM tools should be capable of generating plain-text reports for executives and other non-technical departments of the organizations.
Having SIEM solution is not enough to protect organizations from cyber-threats. Organizations also need security experts to manage and respond to SIEM alerts. The desired expertise of security professionals can be determined through SIEM certifications. The individuals interested in SIEM jobs can consider the following certifications to enhance their skills or showcase SIEM capabilities to be considered for SIEM-related jobs.
1) Certified SOC Analyst (EC-CSA)
Since SIEM tasks are directly related to the Security Operations Centre (SOC), the CSA by EC-Council can help organizations validating the security information and event management skills of security professionals. The EC-Council offers a CSA training program that is integrated with various use cases from different SIEM solutions to educate interested candidates about signature and anomaly-based technologies used for incident detection. The EC-CSA holders are trusted for SIEM solutions deployment and integration of SIEM with threat intelligence for enhanced threat detection.
Target Audience for EC-CSA Certification
- SOC analysts
- Security and network engineers
- Security and network administrators
- Network security professionals
- Cybersecurity professionals
- Network security operators
EC-CSA Certification Process
The EC-CSA is a 3-days training and credentialing program designed to enhance the candidates’ proficiency in SOC operations, SIEM deployment, incident detection, and incident response capabilities. Security professionals with at least one year of working experience in the Cybersecurity domain can skip the training part. After completing the training, the candidates are required to take the EC-CSA exam based on the following format.
|Certification||Certified SOC Analyst (CSA)|
|Types of Questions||Multiple Choice Questions (MCQs)|
|Number of Questions||100|
|Exam Duration||180 Minutes|
|Availability||EC-Council Exam Portal (eccexam.com)|
The EC-CSA exam is based on questions from the following topics.
- Security operations and management
- Cyber-threats and attack methodologies
- Understanding of Incidents, events, and logging
- Incident detection with SIEM
- Incident detection with threat intelligence
- Incident response
EC-CSA Certification Link: https://www.eccouncil.org/programs/certified-soc-analyst-csa/
2) GIAC Certified Detection Analyst (GCDA)
The GCDA certification by Global Information Assurance Certification (GIAC) organization tests candidates’ knowledge and expertise of analyzing the information gathered from networks and endpoint data resources for any malicious activities or data breach. The certification validates SIEM-related capabilities of individuals, such as SIEM tools deployment, SIEM detection, SIEM architecture knowledge, and advanced endpoint analytics.
Target Audience for GCDA Certification
- Security analysts
- SOC analysts
- CND analysts
- System administrators
- Security engineers
- Cyber-threat investigators
- SOC managers
- Technical security managers
GCDA Certification Process
Candidates interested in GCDA credentials are required to pass the web-based GCDA test based on the following exam format.
|Certification Title||GIAC Certified Detection Analyst (GCDA)|
|Number of Questions||75|
|Exam Duration||120 Minutes|
The GCDA exam is prepared from the following topic areas.
- Active and passive device discovery
- Log collection, storage, aggregation, parsing, analysis, and output
- Alerts analysis
- Network analysis
- Software monitoring
- User monitoring
GCDA Certification Link: https://www.giac.org/certification/certified-detection-analyst-gcda
3) CompTIA Cybersecurity Analyst (CySA+)
CompTIA’s CySA+ validates candidates’ ability to monitor and respond to network anomalies, automate threat hunting processes, and secure software and network applications. Although the CySA+ focuses on Cybersecurity analytics, the credential can be correlated to SIEM due to overlapping job tasks, such as utilizing and configuring threat detection tools, performing data analysis, Cyber-threats mapping, and securing the network with appropriate actions.
Target Audience for CySA+ Certification
- Incident responders
- Threat hunters
- SOC analysts
- Threat intelligence analysts
- Application security analysts
CySA+ Certification Process
One can become CySA+ certified professional by passing the following CySA+ exam. Although there is no prerequisite to take the exam, there is a recommendation of 3-4 years of Cybersecurity practical experience before applying for the CySA+ exam.
|Exam Type||Online Testing (Pearson VUE)|
|Types of Questions||MCQs, Performance Based|
|Total Number of Questions||85|
|Passing Marks||750 on a scale of 100-900|
|Exam Duration||165 Minutes|
The CySA+ exam is related to the following security topics.
- Security operations and monitoring
- Incident response
- Software and systems security
- Vulnerability and threat management
- Compliance and assessment
CySA+ Link: https://www.comptia.org/certifications/cybersecurity-analyst
Selecting the right SIEM solution is important for organizations that deal with sensitive and private data. Although SIEM is an important utility that can provide an extra layer of security to IT infrastructure, the solution is less effective without having security experts who can interpret SIEM findings and take appropriate actions. One way of finding SIEM specialists is to look for professionals with SIEM-specific certifications, such as EC-CSA, GCDA, and CySA+.