Chapter 1

Security Information and Event Management: SIEM

1.1 Introduction

Computers, network and security devices, and the applications that run on them generate records called logs that consist of a series of messages in
time-sequence that describe activities going on within the system or network. Log data represents the digital footprints of activities that occur
within the network or system. These data may be streamed to a central platform which can be reviewed to detect anomalous activities.
Although the concept of SIEM is relatively new, it was developed on two already existing technologies: Security Event Management (SEM) and
Security Information Management (SIM). A Security Information and Event Management (SIEM) provides a single centralized platform for the
collection, monitoring, and management of security-related events and log data from across the enterprise. Because a SIEM correlates data from a
wide variety of event and contextual data sources, it can enable security teams to identify and respond to suspicious behavior patterns more
effectively than would be possible by looking at data from individual. As shown in the figure 1.1, a SIEM tool makes that easy as it has the
functionalities to correlate, transfer, parse, aggregate, store, alert etc. SIEM software provides organizations with analytics, responses, dashboards,
modification of logs, correlations, alerts etc. This chapter will start by comparing SIEM and any other security and management tool in order to
represent its importance. Then, the main principals of every SIEM system will be discussed in details. This tool will be a simple introduction to
the AlienVault OSSIM platform that will be explained furthermore in the following chapter.

Fig 1.1: The software solution: SIEM

1.2 Importance of software SIEM

SIEM Was Invented to Solve Two Challenges:

➢ Complex Architectures Increase the Ways Attackers Can Gain Access
Organizations are using a more distributed architecture than ever before. The more complex an architecture, the more cracks a sophisticated
attacker can utilize. This increases the company’s risk of a cybersecurity incident.
➢ Enterprises generate more data than a human can review in time to stop an attack
When monitoring for suspicious activity, there is more data to process than any number of analysts could ever review without help. Analysts
need technology to help them find and flag the most important events to investigate, or a policy violation that needs to be mended.
1.3 Capabilities of SIEM technology

Briefly, let’s talk about the main capabilities and components of SIEM tool that are represented in the figure 1.2:
✓ Data is at the base of how the technology functions, so SIEM starts off collecting data from servers, network devices, domain controllers, firewall
logs, antivirus events, etc. It gathers immense amounts of data throughout an organization's system and networks.
✓ The next step involves aggregating the data that has been collected. It stores and consolidates the data, so it is easily accessible to personnel.
✓ Then SIEM analyses network behavior as well as user behavior. It monitors all activity on a centralized platform, from failed and successful
logins to malware activity and other categories of sorted data.
✓ Finally, such detected anomalies will trigger security alerts since they signal potential security issues. This alert capability allows IT personnel
to be more proactive in fighting external threats early on or even preventing them in the first place.

Fig 1.2: Main Capabilities and Components of SIEM

1.4 Difference between a SIEM and a log management tool

The capabilities of a log management tool are:

• Log data collection from all operating systems and applications within a network.
• Efficient retention of high volumes of data for extended time lengths.
• Filtering and sorting of event logs as well as a search function for easy location of the required information.
• Reporting on the operational, compliance, or security status of an organization's IT infrastructure.

A log management software (LMS) simply collects logs and events for storage, which is just one aspect of SIEM functionality. While LMS tools
were designed to assist systems analysts in reviewing log files for non-security specific reasons, SIEM tools are used for specific cybersecurity
applications. Also, SIEM software is fully automated while a log management system is not.

1.5 Differsence between a SIEM and a Security Information Management (SIM) Product

SIM and SIEM are two concepts that are often used interchangeably in the area of security management by those who are unfamiliar with these
products. Although they possess similarities, there are significant differences between their capabilities. SIM software specializes in the following:
• Collection and storage of log files in a central repository
• Normalizing and cleaning up logs to reduce network bandwidth congestion
• Flexible analysis and reporting of log data
• Reporting for compliance with security regulatory standards like HIPPA, PCI, VISA CISP, etc.

As it focuses on the collection and storage of logs, it bears a striking resemblance to log management. SIM can be defined as a log management
tool built for security. Once again, this tool is only a part of SIEM technology.
Another major difference is that SIM's event and data correlation is based on historical analysis, while SIEM processes are carried out in real-time.
Hence, preventing an imminent threat would only be possible with SIEM.
1.6 Difference between a SIEM and a Host-Based Security Tool

Host-based security tools are used for detecting security threats against an application or system. They usually focus on the traffic on the server or
network interface card (NIC). Their basic capabilities are:
• Compiling and analyzing traffic data.
• Signature-based monitoring to detect known cyber-attack signatures.
• Anomaly-based monitoring to detect unusual network and user behavior.

A host-based intrusion detection system (HIDS) is one of the most prominent security technologies for detecting malicious activity. Their architecture
allows them only to detect and report vulnerability exploits. On the other hand, a SIEM will go further to take preventive action against the
cyberattack. While a SIEM is an active security tool, a HIDS is passive.
SIEM is also more of a network-based application since it focuses on incoming and outgoing traffic through network devices, firewalls, routers.

1.7 Difference between a SIEM and An Asset Management Tool

Asset Management is a system that enables companies to track all IT assets like servers, routers, firewalls, printers, computers, and other
connected devices in real-time.
Here's an overview of what an asset management tool does:
It stores details and documents for each asset.
• It allows analysts to detect all systems connected to the network easily.
• It helps prioritize system issues to be tackled.
• It provides a long-term perspective of asset costs.

For large organizations, monitoring thousands of assets on a spreadsheet would be a hassle for employees. With asset management software, the
work is made a hundred times easier. However, the scope of this tool is often limited to operational performance rather than detecting security
threats within an organization. It only indirectly influences security since a list of all IT assets provides a basis for vulnerability checks.

1.8 Difference between a SIEM and Application Monitoring and Control (AMC) Software

Application Monitoring and Control software monitors and controls the activity of applications in a network. The practice of application control
restricts unauthorized applications from executing in ways that put data at risk. Hence, it ensures the privacy and security of data transmitted
between systems.
The capabilities of AMC software include:
• Ensuring complete records processing from start to finish.
• Ensuring that only valid data is input and processed.
• Providing an authentication mechanism for application systems.
• Allowing authorized access only to approved business users.
• Ensuring the integrity of data feeds entering the application system.

Judging by the scope of coverage, AMC products are useful in reducing the risks of malware and unauthorized third-party intrusion since they
eliminate unknown and unwanted applications in the network. However, SIEM offers a more comprehensive security solution. It pulls together
data from disparate security tools and includes data from network security devices and security applications. It also possesses the intelligence to
counter attacks automatically. SIEM often utilizes data from AMC products.

1.9 Difference between a SIEM and An Audit Management Tool

The applications of SIEM are mutually exclusive from Audit Management software. The latter helps companies streamline their audit processes
and comply with internal policies and regulatory standards.
• It automates audit-related tasks for accurate and complete documentation of data.
• It schedules audits across different departments simultaneously.
• It implements, analyses, and reports audit results.
• It allows real-time amendments, even while a program is running.
• It facilitates storage of audit results for easy access and comparison
Audit management is often used for quality management, and its primary applications are in the health care, pharmaceutical, and food and
beverage industries. The software can also be used to gather, store and provide data on security events, in which case it could serve as a resource
for SIEM processes.

1.10 Benefits of SIEM

Not all SIEM solutions are built the same. Depending on the vendor, an organization can get several benefits from its SIEM technology. Here are
some of those benefits:
▪ A central solution to collect data and find red flags.
▪ Aggregation and normalization of data.
▪ Generating alerts.
▪ Real-time analysis of the environment.
▪ Assigning a priority to the alert to reduce false-positives.
▪ Customizable and easy-to-manage dashboards.
▪ Allows users to search across raw data.
▪ Regular reporting, helping the IT security team find security incidents.

1.11 Basic Features of SIEM

While SIEM solutions differ from one vendor to another, some basic features are common among all SIEM solutions.
These common features include:
1. Collection of data
2. Security monitoring
3. Data normalization
4. Threat detection
5. Generating alerts
6. Incident and forensics reporting

Over the years, SIEM has evolved with today’s SIEM solutions offering advanced capabilities. For example, nowadays, SIEM combines
machine learning (ML) and artificial intelligence (AI) and offers detailed User and Entity Behavior Analytics (UEBA). Using artificial
intelligence, it learns with each incident and keeps evolving to provide security against modern threats.

1.12 Best Practices for SIEM Implementation

Without the proper implementation of SIEM technology, it can raise an alert at each “abnormal” incident and can lead to several false positives.
This can waste a lot of time and resources of the IT security team.
By following best practices, an organization can get the most out of its SIEM technology. Here are some practices to follow:
• Understand how SIEM can benefit your organization and what your expectations should be.
• Monitor critical resources and set up SIEM to monitor those resources.
• Define data correlation rules so the technology can normalize data according to those rules. Also, establish policies related to IT
configuration and Bring Your Own Device (BYOD).
• Recognize business compliance requirements and configure the SIEM solution accordingly.
• Connect the SIEM technology to as many data sources so it can bring all data to a central location to monitor it.
• Plan a test run. A test run will uncover weaknesses in the current system, which will help in tweaking the controls and policies
accordingly.
• Have an incident response plan. Just knowing when a security incident has happened isn’t enough. The organization must be prepared to
handle the event.
• Regularly review the SIEM solution and keep all security related tools properly configured.
1.13 Components and Capabilities of SIEM architecture

This section will elaborate on the different components in a SIEM architecture:

✓ Log management (Log collection, Log processing, Log archival, Log analysis)
✓ Incident management
✓ Incident Response
✓ Threat Intelligence
✓ It security audit
✓ User and Entity Behavior Analysis (UEBA)

1.13.1 Log management in SIEM

Log collection in SIEM

A security information and event management (SIEM) solution ensures a healthy security posture for an organization's network by monitoring
different types of data from the network. Log data records every activity happening on the device, and applications across the network. To assess
the security posture of a network, SIEM solutions must collect and analyze different types of log data. Types of log data: There are six different
types of logs monitored by SIEM solutions which are represented in the figure 1.3: perimeter device logs, windows event logs, endpoint logs,
application logs, proxy logs, IoT logs.

Fig 1.3: Different types of logs monitored by SIEM solutions

Perimeter device logs

Perimeter devices monitor and regulate traffic to and from the network. Firewalls, virtual private network (VPNs), intrusion detection systems
(IDSs), and intrusion prevention systems (IPSs) are some of the perimeter devices. These devices generate logs containing a large amount of data,
and perimeter device logs are vital for understanding the security events occurring in the network. Log data in the syslog format helps IT admins
perform security audits, troubleshoot operational issues, and better understand the traffic passing through and from the corporate network.

Why do you need to monitor a perimeter device’s log data?

• To detect malicious traffic to your network: These logs contain details about incoming traffic, IP addresses of the websites browsed by users,
and unsuccessful logon attempts which helps you track down anomalous traffic behavior.
• To detect security misconfigurations: Security misconfigurations are the most important cause for firewall breaches. A few changes to the
firewall configurations can open the doors to malicious network traffic. Monitoring firewall logs helps you detect unauthorized security
configuration changes.
• To detect attacks: Analyzing firewall logs helps you detect patterns in network activity. For example, when the server receives, within a short
time, a large number of SYN packets to connect the client to a server, this might indicate a distributed denial-of-service (DDoS) attack..
Example of typical perimeter device firewall log data:
2015-07-06 11:35:26 ALLOW TCP 10.40.4.182 10.40.1.11 63064 135 0 - 0 0 0 - - - SEND

The log entry above specifies the time stamp of the event, followed by the action. In this instance, it indicates the day and time the firewall
allowed traffic. It also contains information about the protocol used, as well as the IP addresses and port numbers of the source and destination.
From log data like this, you can detect attempts to connect to ports that you do not use, indicating that the traffic is malicious.

Windows event logs

Windows event logs are a record of everything that happens on a Windows system. This log data is further classified into:
• Windows application logs:
These are events logged by the applications in the Windows operating system. For example, an error forcing the application to close is
recorded in this application log.
• Security logs:
These are any events that may affect the security of the system. It includes failed login attempts and file deletion instances.
• System logs:
It contains events that are logged by the operating system. The logs indicate if processes and drivers were loaded successfully.
• Directory service logs:
It contains events logged by the Active Directory (AD) service. It records AD operations such as authentication and modification of
privileges. These logs are available only for domain controllers.
• DNS server logs:
These are logs from domain name system (DNS) servers with information such as client IP addresses, the domain queried, and the record
requested. It is available only for DNS servers.
• File replication service logs:
It contains events of domain controller replication. It is available only for domain controllers.

Why do you need to monitor Windows event logs?

• To ensure server security: Most critical servers, such as file servers, and AD domain controllers, run on the Windows platform. It is essential
to monitor this log data to understand what is happening to your critical resources.
• Windows workstation security: Event logs provide valuable insights into the functioning of a workstation. By monitoring Windows event
logs generated from a device, user activities can be monitored for anomalous behavior which can help detect attacks in the early stages. In
case of an attack, the logs can help reconstruct the user's activities for forensic purposes.
• To monitor hardware components: An analysis of Windows event logs helps diagnose problems with malfunctioning hardware components
of a workstation by indicating the cause for malfunction.

Example of a typical windows event log

Warning 4/28/2020 12:32:47 PM WLAN-AutoConfig 4003 None

Windows classifies every event based on its severity as Warning, Information, Critical, and Error. The security level in this case is Warning. The
log entry above is from the WLAN AutoConfig service, which is a connection management utility enabling users to connect to a wireless local
area network (WLAN) dynamically. The next segment indicates the date and time the event took place. The log specifies that WLAN
AutoConfig detected limited network connectivity, and is attempting automatic recovery. Using this log, a SIEM solution can check for similar
logs on other devices at the time stamp referenced in this log, to resolve the network connectivity issue.

Endpoint logs
Endpoints are devices that are connected across the network and communicate with other devices across servers. Some examples include
desktops, laptops, smartphones, and printers. With organizations increasingly adopting remote work, endpoints create points of entry to the
network that could be exploited by malicious actors.
Why do you need to monitor endpoint logs?
• To monitor activities on removable disk drives: Removable disk drives are often vulnerable to malware installations and data exfiltration
attempts. By monitoring endpoint logs, these attempts can be detected.
• To monitor user activity: Users are required to abide by their organization's internal as well as external regulatory policies related to
installation and use of software on their workstations. Endpoint logs can be used to monitor these policies and provide notifications if
violations occur.

Example of a typical endpoint device log

Error 6/20/2019 5:00:45 PM Terminal Services- Printers 1111 None

The log above specifies that an error has occurred with the Terminal Services Easy Print driver. This is indicated by the error source, and the
Event ID (1111). If a user faces issues while printing a file, the logs can be checked to understand the exact cause for the issue and resolve it.

Application logs
Businesses run on various applications such as databases, web server applications, and other in-house apps to perform specific functions. These
applications are often vital for the effective functioning of the business. All of these applications generate log data that provide insights about
what is happening within the applications.

Why do you need to monitor application logs?

• To troubleshoot issues: These logs help identify and correct issues relating to performance and security of the applications.
• To monitor activities: Logs generated from a database indicate requests and queries from users. This can be used to detect unauthorized file
access, or data manipulation attempts by users. The logs are also helpful for troubleshooting problems in the database.

Example of typical application log

02-AUG-2013 17:38:48 * (CONNECT_DATA=(SERVICE_NAME=dev12c)
(CID=(PROGRAM=sqlplus)(HOST=oralinux1)(USER=oracle)))
*(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.2.121)(PORT=21165))* establish * dev12c * 0

The above log entry is from an Oracle database system. The log is for a connection attempt from a host computer. The log references the time
and date when the request was received by the database server. It also indicates the user and the host computer from which the request
originated, along with its IP address, and the port number.

Proxy Logs
Proxy servers play an important role in an organization's network by providing privacy, regulating access, and saving bandwidth. Since all web
requests and responses pass through the proxy server, proxy logs can reveal valuable information about usage statistics and the browsing
behavior of endpoint users.

Why do you need to monitor proxy logs?

• To baseline user behavior: Analyzing users' browsing activities from the proxy logs collected can help form a baseline of their behavior. Any
deviation from the baseline might reveal a data breach, and indicate that further inspection is required.
• To monitor the length of packets: Proxy logs can help monitor the length of packets exchanged through the proxy server. For example, a user
repeatedly sending or receiving packets of the same length within a given interval of time might indicate a software update, or uncover
malware exchanging signals with control servers.

Example of a typical proxy log

4/8/2020 2:20:55 PM User-001 192.168.10.10 GET https://wikipedia.com/

The log above specifies that User-001 requested pages from Wikipedia.com on the date and time indicated in the log. Analyzing the requests,
URLs, and time stamps in the logs help detect patterns, and aids in evidence recovery in case of an event.
Iot logs

Internet of Things (IoT) refers to a network of physical devices that exchange data with other devices on the internet. These devices are
embedded with sensors, processors, and software to enable data collection, processing, and transmission. Like endpoints, devices that make up
an IoT system generate logs. Log data from IoT devices provides insights into the functioning of hardware components, such as
microcontrollers, the firmware update requirements of the device, and the flow of data in and out of the device. A crucial part of logging data
from IoT systems is the storage location of log data. These devices do not possess sufficient memory to store the logs. So, the logs must be
forwarded to a centralized log management solution where they can be stored for extended periods of time. The SIEM solution then analyzes the
logs to troubleshoot errors and detect security threats.

NetFlow Logs

We can also use the NetFlow tool for the collection of logs data from different devices. Developed by Cisco Systems, NetFlow is used to record
metadata about IP traffic flows traversing a network device such as a router, switch, or host. A NetFlow-enabled device generates metadata at the
interface level and sends flow data information to a flow collector, where the flow records are stored to enable network traffic analytics and
management. A network operator can use NetFlow data to determine network throughput, packet loss, and traffic congestion at a specific
interface level. NetFlow data also supports other network-level monitoring use cases such as DDoS detection and BGP peering

Fig 1.4: NetFlow Logs metadata

How is NetFlow data collected?

The NetFlow collection corresponds to information about IP traffic (shown in the figure 1.4) mainly:
• Source IP address
• Destination IP address
• Ports accessed
• Services carried out

Gathering NetFlow data is done with a NetFlow collector, which also records timestamps, the packets requested, entry and exit interfaces of the
IP traffic, and more. The process of NetFlow collection includes gathering the NetFlow data and analyzing the data for bandwidth speed,
resource utilization, transmission, and reception in a network by NetFlow collectors. The main functions of NetFlow collectors include
collecting flow data transmitted using the User Datagram Protocol (UDP) from NetFlow-enabled devices, and filtering the collected data to
reduce its volume

Logs are collected from all devices such as databases, routers, firewalls, servers, IDS/IPS devices, domain controllers, workstations, and
applications.
Log collection can be done in two ways:
• Agentless log collection
Agentless log collection is the predominant method SIEM solutions use to collect logs. In this method, the log data generated by the devices is
automatically sent to a SIEM server securely. There is no need for an additional agent to collect the logs, which reduces the load on the devices.
• Agent-based log collection
Agent-based log collection demands an agent be deployed on every device that can generate logs. This method can help filter out logs while
collecting them, based on defined parameters. Agents also take up less bandwidth and resources, and help provide filtered and structured log
data. This method is employed when the devices are in a secure zone where communication is restricted, and it is difficult to send logs to a SIEM
server.

Log processing in SIEM

Different techniques are used for log processing:

Log parsing:
A parser can take unstructured raw log data and format it by grouping similar data under relevant attributes. Parsing makes the retrieval and
searching of logs easier. Every SIEM solution includes multiple parsers to process the collected log data. Parsing SIEM logs can be a time-
consuming and complex process, but it is an essential part of any effective security program.
Log normalization:
Normalization is the process of mapping only the necessary log data under relevant attributes, which can be configured by the IT security admin.
To monitor the important activities in a network, logs have to be normalized. Log normalization can help distinguish between regular and
irregular activities in a network. Some SIEM solutions offer the ability to normalize SIEM logs. This can be helpful in a few different scenarios.
There are three primary benefits to normalization. First, it increases the accuracy of event correlation. Second, it reduces the amount of data that
needs to be parsed and stored. Third, it improves SIEM tool performance. The benefits of normalized SIEM logs include improved event
correlation, reduced data storage requirements, and improved performance. However, there are also some drawbacks. One drawback is that it can
be more difficult to troubleshoot errors when using a central log server. Another drawback is that it can be more difficult to monitor activity
when using a distributed logging system.
Log indexing:
Normalized log data is separated and stored in files that contain indexed log information; admins can apply queries to the indexed data to
accelerate the searching process. SIEM solutions can be configured by the network admin to record the data under a particular index for easier
retrieval and interpretation.
Log correlation:
Correlating log data helps in identifying if the different log sources correspond to one particular event that threatens network security. Forensic
reports help verify where the network was compromised and how an attack was carried out. Log analysis plays a vital role in understanding user
behavior and detecting threats, and also helps in preventing an attack before it occurs.

Log archival: Storing log data to address future requirements

Log data is vital information that contains records about events that have happened in a network. Log data is essential to monitor the network and understand
the network activities, user actions, and their motives. As every device in the network generates logs, the amount of data collected is huge, and managing and
storing all this data becomes a challenge. Log archiving is a process that helps administrators use available storage efficiently. Every device in the network
produces a substantial amount of log data. Log data contains critical information about all the activities that happen in a network. Storing all this data and
managing them is a challenge for organizations. So, these log files are compressed and stored away in a less efficient storage medium and can't be readily
retrieved. These are called inactive log files. Log archival is the process of storing all these inactive log files efficiently by compressing, archiving and
indexing the zipped files for retention and future usage.
Why archiving log data is important?
• Meet regulatory standards
Most compliance regulations compel enterprises to retain log data for at least a year to facilitate forensic analysis. For instance, section 802 of SOX
requires organizations to archive their data for at least seven years.
• Identify patterns and trends
When log data spanning a longer period of time is archived, it can be loaded back into an analytical solution to identify network activity trends and
patterns. These trends and patterns support the design and implementation of preventive security strategies.
• Optimize log data storage
Archiving log data by employing compression techniques, as well as storing archived logs in a location that doesn't need to be optimized for quick
access, are two good ways to save storage space and reduce costs. Furthermore, since the data can be decompressed and loaded into active databases
any time without any data loss, it can still be used for forensic analysis or any other operation easily.
What should you store in your log archives?
• Log events that are necessary to comply with regulatory requirements
• Administrator activity
• User actions like logins and commands
• Errors, exceptions, and warnings
The archived log files are stored in a separate location, securing them from any data loss. Since archived files are rarely accessed and protected
with secure passwords, the chances of accidentally deleting the data are significantly less. Archived log data helps improve the security of your
network. In the event of a cyber-attack, you can retrieve and restore the log data from archives to perform forensic analysis. Forensic analysis is
done to establish the evidence of an attack, data recovery, and to find the vulnerabilities that allowed the attack to take place. By performing
forensic analysis on archived logs, you can pin point exactly when and how the cyber-attack happened.

Log analysis in SIEM

Log analysis is the process of investigating the collected logs to identify patterns and abnormal behaviors, establish relationships between the logs
collected from various sources, and generate alerts if a threat is detected. Log analysis can be performed using different techniques including log
correlation, forensic analysis, and threat intelligence to identify malicious activities. It also plays a major role in gaining insight into the network
activities.

Fig 1.5: Log analysis process

Why is log analysis essential?

It might be difficult to identify malicious activities in a network without having proper analysis techniques in place. Since logs contain
information on every activity happening in the network, it is essential to analyze these logs to:
• Prevent data breaches.
• Monitor user activities and detect abnormal user behaviors.
• Protect sensitive data from attacks.
• Detect cyberattacks at the earliest stage possible and mitigate them.
• Prevent data loss due to exfiltration.
• Comply with IT regulations.

Let’s discuss now the log analysis process:

The normalized log data is then analyzed and correlated using predefined rules in order to identify the relationship between the logs collected
from disparate sources. Reports and interactive dashboards are generated corresponding to the analysis of the collected logs. Correlation can
indicate if the log data from different sources correspond to one event. If the event threatens the safety of the network, an alert will be raised. The
criteria for raising alerts are predefined or can be customized based on the organization's needs.

The analysis can also be strengthened by applying forensic analysis and threat intelligence. Performing forensic analysis on log data can help
identify the point of attack in a network. It can specify how an attack was carried out and which part of the network was compromised to gain
entry; it also checks for vulnerabilities across the network.
Log forensics helps to:
✓ Reconstruct the attack scenario and gather evidence to prove an attack.
✓ Meet compliance mandate requirements by demonstrating how the attack happened.
✓ Identify security system vulnerabilities or loopholes that led to a cyberattack to seal the loopholes and thwart future attacks.

Conducting log forensics manually can be a daunting and time-consuming task because a large number of logs can be generated within a
network in a short period of time. A log management tool helps ensure the security needs of the organization are addressed.
It is important to have a tightly integrated, comprehensive log management tool in place for searching through logs. Log management tools
usually include log search methods that help make conducting log forensics easy. With a massive volume of log data being generated each day,
the solution must be capable of searching through the log data and providing the required information without compromising performance. The
solution must also be capable of building search queries using natural language input from the user, rather than requiring that queries be built in a
specified language. It must provide an intuitive platform where users can build their own queries, so that they don't have to depend on the log
search mechanism.

1.13.2 IT Incident management in SIEM

Organizations are constantly exposed to unexpected and unknown security threats. Irrespective of the level, type, or size of the threat, their
presence creates a bump in the overall functioning of an enterprise. Incident management is the process of identifying and responding
(figure 1.6) to these disruptions as quickly as possible to minimize their impact on everyday business operations.

Fig 1.6: Incident management in SIEM

Definition of security incident

A security incident is an event indicating a threat to an organization's network, and presents a certain degree of severity and potential risk to the
organization. If undetected, security incidents can compromise your system or data, both from the outside and from within. These are called
external and internal threats.

External threats
An external threat originates from outside the network and is initiated by hackers. The attacker employs various tactics to breach the network,
including data manipulation, phishing attacks, malware attacks, denial-of-service (DoS) attacks, man-in-the-middle attacks, and more.
No two businesses suffer the same consequences from security threats. For example, in the healthcare industry, a security incident can lead to the
exposure of patients' confidential records, potentially harming the patients themselves. Meanwhile, in a financial company, the exposure of
critical data such as credit card information may lead to financial loss.

Internal threats

An internal threat takes place when an insider causes a disruption to the organization's network by misusing their privileges. These threats can
result in manipulation of sensitive data, identity theft, data leak, policy abuse, resource starvation, and much more. Internal threats can be
accidental or intentional, from a sysadmin making a mistake that results in a security incident to an authorized employee with malicious
intentions that tampers with sensitive data.

Purpose of Incident management

Incident management is the process of detecting, categorizing, analyzing, and resolving an incident. A single security incident can be part of a
bigger targeted attack such as a distributed denial-of-service (DDoS), ransomware, or advanced persistent attack. Security attacks can affect not
only your organization's finances, but also its reputation. This is why it's critical to detect a security incident as soon as it occurs, mitigate the
threat immediately, and contain or reduce the impact of the attack. Using various techniques and tools, incident management attempts to reduce
the mean time to detect (MTTD) and mean time to resolve (MTTR) an incident. The time between the occurrence of an incident and its
resolution can be the difference between the organization's security being compromised or not. Usually, security information and event
management (SIEM) solutions come with a comprehensive incident management module to tackle key security issues, ensuring your
organization's network is safe and secure.

Difference between a security event and security incident

It is important to know the difference between a security event and a security incident. A security event is an occurrence in the network that
might lead to a security breach. If a security event is confirmed to have resulted in a breach, the event is termed a security incident. A security
incident results in risk or damage to the resources and assets of an enterprise. Based on the breach detected, sufficient action has to be taken to
limit the damage and prevent the incident from getting worse.

Security events
Security events are the first step towards identifying a threat or a complete attack. An enterprise might run into thousands of security events per
day. However, not all security events indicate a cyberattack. For example, a user receiving a spam email triggers a security event. Such events
need to be monitored using a SIEM solution to detect if a security event leads to a security incident.

Some of the most common sources of security events that should be analyzed in a network are explained below:

➢ Firewalls

A firewall controls traffic to and from the network. Firewall logs provide the first evidence of an intrusion by attackers. So, security events
detected from firewall logs must be carefully monitored. Below are some of the common security events and incidents that you should monitor
from firewall logs.
• Spike in incoming or outgoing traffic: A spike in incoming or outgoing traffic is a critical security event. On further inspection into the
firewall logs, if multiple packets are received from source IP addresses unknown to your organization, this is a security incident, as it
indicates a possible DDoS attack.
• Configuration changes to firewall policies: Changes to firewall configurations are security events, not incidents. However, if a user
whose privileges have been recently escalated tries to change the firewall configurations, the event is termed a security incident.
• Modification to firewall settings: Changes made to firewall rules can be normal events unless they allow traffic from or to a malicious
C2C server or any other malicious source for data exfiltration. In such cases, the change becomes a security incident. Therefore, it is
necessary to carefully monitor these changes.

➢ Critical servers

Critical servers, such as file servers, web servers, and domain controllers, are highly susceptible to attacks, as compromising these systems
means gaining control of the network or data to a large extent. Monitoring all the user activities and changes to configurations in these servers is
critical. Some of the common security events that you should monitor on critical servers are:
• User logins.
• User permission changes to access the servers.
• Changes to system settings.
• Changes to security configurations.

When the above events, upon investigating, turn out to be from a suspicious source or indicate unusual user behavior, then they are security
incidents. These are some common events that you should monitor. Depending on the functionality of the servers, you can add other events for
monitoring. For instance, in a web server, it becomes essential for you to monitor the logs for injection attempts.

➢ Databases

Databases are one of the most common targets for attackers, as they store employee details, confidential business data, and more. Some of the
common security events in databases are:
• Changes to database tables: Changes to the tables in a database by privileged account users are security events. If such a user goes on to
manipulate multiple tables, it is a security incident.
• Changes to user privileges: When a user's privileges are elevated to access database resources, it is a security event. This becomes a
security incident if the user with recently elevated privileges tries to change the privileges of other users by adding or removing members
in the database administrators security group.
 • Accessing or extracting sensitive data: Employee biometric information, customer records, and transaction details are examples of
sensitive enterprise information. If a user tries to extract such information from the database, it is a security incident.

➢ Endpoints

Endpoints such as laptops and desktops generate a huge amount of security events in a single day. Some of the common security events that you
need to monitor from endpoints are:
• Failed login attempts: If a user logs into their device after repeated failed attempts, it is a security event. If such an event is followed by
the user trying to escalate their privileges, it is a security incident.
• Unauthorized software installations: Downloading and installing unauthorized software on a device is a security event. If such an
application harms the functioning of other applications and causes the device to malfunction, it is termed a security incident.

Some of the security incidents that you should be monitoring in your network include:

• Traffic from known malicious IP addresses: Several IP addresses are identified as malicious because of suspected notorious activities
carried out through them. The information about malicious IP addresses is called threat information or a threat feed. To track down traffic
from malicious sources, you should configure your security solution, such as a SIEM tool, to correlate data between these dynamically
updated threat feeds and your network traffic information. If such an IP address is attempting to access the network, your SIEM solution
can detect the attempt and take counteraction immediately.
• Suspicious malware installations on endpoints: Millions of malicious emails with genuine-looking attachments are sent to people every
day. If such an attachment is opened by an unsuspecting user, this might lead to malware being installed on the device. The attacker may
extract sensitive information stored on the user's device through the malware or gain entry into the enterprise's network resources, either
of which make this a security incident.
• Unknown login attempts: Companies use VPN services to help remote users connect to the organization's network. If a hacker manages
to crack the credentials of a remote user, they can enter the network and launch a full-scale cyberattack. If a user reports that their
credentials have been compromised and that they had not logged in to the network recently, this is a serious security incident requiring
rapid response from the IT administrator.
• Privilege escalations: Once an attacker has gained access to the enterprise's network, they can cause only limited damage by
masquerading as the user they impersonate. So, their next step is often privilege escalation. Privilege escalation allows the attacker to
gain more access and, therefore, better control over the network.
• Unauthorized changes to configurations of critical devices: An unauthorized attempt to make changes to critical services such as firewalls
indicates a possible attack on the network, so it’s logged as a security incident.
• Malware infection through removable media: Plugging removable media, such as USB drives and hard drives, into a workstation can be
harmful if the external device contains malware. If an antivirus system detects an external device containing malware, a security incident
is logged.
• Data manipulation in databases: If the data present in an enterprise’s databases is deleted or modified by an unauthorized user, it is
termed a security breach, and the IT administrator must take immediate action to prevent further damage to the enterprise's network.

Detecting security incidents

Detecting security incidents or data breaches poses a challenge for organizations for various reasons. It often involves detecting indications of
compromise from an overwhelming number of false alarms. Though, general preventive systems like firewalls and antivirus software give you
alerts on deviant behavior, they don't provide the bigger picture. For every triggered alert, you need to investigate why it was triggered, which
increases the resolution time. General preventive systems provide limited data. For instance, if an employee's credentials are stolen and are being
used to access critical resources, it's difficult to mark this as deviant behavior and flag it as an incident unless more contextual information is
available. Security information and event management (SIEM) solutions correlate business contextual information with network activity to
detect incidents in real time.
1.13.3 Incident Response in SIEM

The constant cycle of organizations trying to stay ahead of attackers and attackers finding new ways to get the upper hand makes it difficult for
organizations to ensure the security of their network and data. The evolution of new types of attacks only adds to this complexity. The best way
to combat this never-ending cycle is to build an effective incident response system.

Workflow management
An organization can face hundreds of security incidents a day. To respond to all these incidents and keep its security intact, an organization
needs a complete, automated response system. IT security administrators can save a lot of time with automated workflows, as they enable speedy
resolution of incidents.
Incident workflow management gives organizations the ability to define a set of actions that will automatically be triggered when a particular
incident occurs. For example, you can define a workflow to shut down a computer when a malicious process is started on it. Triggering this
workflow will help isolate the affected system and contain the attack so it doesn’t spread in the network.
When configured properly, automated workflows give organizations a head start when it comes to incident resolution. Apart from triggering
actions, you can also raise a ticket for every incident detected in your ITIL tool using workflow management. This helps in closely tracking the
incident resolution process and ensuring accountability.

Forensic investigation
By analyzing what went wrong in previous situations, organizations can unearth the solution to future problems. Forensic investigations of
incidents can help the security team analyze the traces left by attackers, which can help them protect their organization against future attacks. In
a way, forensic investigations aren’t about making the wrong right, but about analyzing the wrong to prepare for future wrongs.
Once analysis of the evidence is done, the next step in the incident response process is to contain the disruption to ensure other devices are
protected. The last step is to eliminate the cause of the incident.
Incident detection is a never-ending cycle. Once an incident is spotted, analyzed, contained, and eliminated, the cycle begins again at the next
incident.

The five phases of the incident response life cycle

There are several ways to define the incident response life cycle. The National Institute of Standards and Technology (NIST) developed a
framework for incident handling, which is the most commonly used model. The process outlined in the NIST framework includes five phases
shown in the figure 1.7:
1. Preparation
2. Detection and analysis
3. Containment
4. Eradication and recovery
5. Post-event activity

Fig 1.7: Cycle of incident response

1. Preparation
In this phase, the business creates an incident management plan that can detect an incident in the organization’s environment. The preparation
step involves, for example, identifying different malware attacks and determining what their impact on systems would be. It also involves
ensuring that an organization has the tools to respond to an incident and the appropriate security measures in place to stop an incident from
happening in the first place.

2. Detection and Analysis

An incident response analyst is responsible for collecting and analyzing data to find any clues to help identify the source of an attack. In this
step, analysts identify the nature of the attack and its impact on systems. The business and the security professionals it works with utilize the
tools and indicators of compromise (IOCs) that have been developed to track the attacked systems.

3. Containment, Eradication and Recovery

This is the main phase of security incident response, in which the responders take action to stop any further damage. This phase encompasses
three steps:
• Containment. In this step, all possible methods are used to prevent the spread of malware or viruses. Actions might include disconnecting
systems from networks, quarantining infected systems (Landesman, 2021), or blocking traffic to and from known malicious IP addresses.
• Eradication. After containing the security issue in question, the malicious code or software needs to be eradicated from the environment.
This might involve using antivirus tools or manual removal techniques (Williams, 2022). It will also include ensuring that all security
software is up to date in order to prevent any future incidents.
• Recovery. After eliminating the malware, restoring all systems to their pre-incident state is essential (Mazzoli, 2021). This might involve
restoring data from backups, rebuilding infected systems, and re-enabling disabled accounts.

4. Post-Event activity

The final phase of the incident response life cycle is to perform a postmortem of the entire incident (Cynet, 2022). This helps the organization
understand how the incident took place and what it can do to prevent such incidents from happening in the future. The lessons learned during
this phase can improve the organization’s incident security protocols and make its security strategy more robust and effective.

1.13.4 Threat Intelligence in SIEM

Digital technologies lie at the heart of nearly every industry today. The automation and greater connectedness they afford have revolutionized
the world’s economic and cultural institutions, but they’ve also brought risk in the form of cyberattacks. Threat intelligence, often synonymous
with open-source intelligence (OSINT) is knowledge that allows you to prevent or mitigate those attacks. Rooted in data, threat intelligence
provides context, like who is attacking you, what their motivation and capabilities are, and what indicators of compromise in your systems to
look for, that helps you make informed decisions about your security.
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an
existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that
menace or hazard.”
Some organizations try to incorporate threat data feeds into their network, but don’t know what to do with all that extra data, adding to the
burden of analysts who may not have the tools to decide what to prioritize and what to ignore.
A threat intelligence solution can address each of these issues. The best solutions use a combination of machine learning to automate data
collection and processing, integrate with your existing solutions, take in unstructured data from disparate sources, and then connect the dots by
providing context on indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) of threat actors.
Threat intelligence is actionable, it’s timely, provides context, and is able to be understood by the people in charge of making decisions.
Types of threat intelligence

Threat intelligence is categorized as:

➢ Strategic threat intelligence

Strategic threat intelligence is focused on long-term planning and identifying broad trends. It can be used to assess an organization overall risk
posture and to formulate strategies for mitigating those risks. This type of intelligence helps organization identify potential threats and
vulnerabilities, as well as understand the motives and capabilities of adversaries. By understanding the current and future threats, organizations
can develop appropriate countermeasures and mitigate the impact of future attacks. For example, if strategic threat intelligence shows that
attacks against your industry are on the rise, you may decide to invest in additional security measures or training for your employees. Strategic
cyber threat intelligence is usually in the form of white papers, briefings, and reports.

➢ Tactical threat intelligence

This is focused on the immediate future and is designed for a more technically-proficient audience. It identifies simple indicators of compromise
(IOCs) to allow IT teams to search for and eliminate specific threats within a network. IOCs include elements such as bad IP addresses, known
malicious domain names, unusual traffic, log-in red flags, or an increase in file/download requests. Tactical intelligence is the most
straightforward form of intelligence to generate and is usually automated. It can often have a short lifespan as many IOCs quickly become
obsolete.

➢ Operational threat intelligence:

Behind every cyber-attack is a 'who', 'why', and 'how'. Operational threat intelligence is designed to answer these questions by studying past
cyber-attacks drawing conclusions about intent, timing, and sophistication. Operational threat intelligence requires more resources than tactical
intelligence and has a longer lifespan. This is because cyber attackers can't change their tactics, techniques, and procedures (known as TTPs) as
easily as they can change their tools – such as a specific type of malware.

1.13.5 IT security audit in SIEM

A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to an
established set of criteria. A security audit typically assesses the security of the system's physical configuration and environmenct, software,
information handling processes and user practices. Organizations employ risk management systems to identify vulnerabilities and threats to their
data assets. IT security auditing is the collection of evidence that the IT controls, security systems, and risk mitigation strategies employed by the
organization are up to industry standards. Some of these standards are NIST Cyber Security Framework (NIST CSF), ISO 27001, and IEC
62443, which define techniques and guidelines for cybersecurity. Compliance regulations vary with industry and region.

Why are security audits important?

There are several reasons to do a security audit. They include these six goals:
1. Identify security problems and gaps, as well as system weaknesses.
2. Establish a security baseline that future audits can be compared with.
3. Comply with internal organization security policies.
4. Comply with external regulatory requirements.
5. Determine if security training is adequate.
6. Identify unnecessary resources.

When is a security audit needed?

How often an organization does its security audits depends on the industry it is in, the demands of its business and corporate structure, and the
number of systems and applications that must be audited. Organizations that handle a lot of sensitive data -- such as financial services and
healthcare providers -- are likely to do audits more frequently. Ones that use only one or two applications will find it easier to conduct security
audits and may do them more frequently. External factors, such as regulatory requirements, affect audit frequency, as well. Many companies will
do a security audit at least once or twice a year. But they can also be done monthly or quarterly. Different departments may have different audit
schedules, depending on the systems, applications and data they use. Routine audits -- whether done annually or monthly -- can help identify
anomalies or patterns in a system.
An organization should conduct a special security audit after a data breach, system upgrade or data migration, or when changes to compliance
laws occur, when a new system has been implemented or when the business grows by more than a defined amount of users. These one-time
audits may focus on a specific area where the event may have opened security vulnerabilities. For example, if a data breach just occurred, an
audit of the affected systems can help determine what went wrong.

Types of security audits

Security audits come in two forms, internal and external audits, that involve the following procedures:
• Internal audits. In these audits, a business uses its own resources and internal audit department. Internal audits are used when an
organization wants to validate business systems for policy and procedure compliance.
• External audits. With these audits, an outside organization is brought in to conduct an audit. External audits are also conducted when an
organization needs to confirm it is conforming to industry standards or government regulations

1.13.6 User and Entity Behavior Analytics (UEBA): Modern SIEM

Cyberattacks are constantly evolving, and modern hackers can bypass conventional security systems with minimal effort. Attackers keep finding
new ways to hack into firewalls, send malicious programs, and even bribe employees to carry out internal attacks. Conventional security systems
are rapidly becoming outdated and vulnerable to new attack trends. If you look at infamous past attacks, you'll find that no two attacks were
carried out in the same way. Still, there are some defensive strategies and tactics often used because they've proved effective. One efficient way
to stay protected is by equipping yourself with machine learning techniques that can identify every type of security anomaly across your
organization.

What is UEBA?
User and entity behavior analytics (UEBA) solutions establish normal behavior of users and machines within an organization and identify any
abnormal behavior. They are designed to process large amounts of data from firewalls, routers, workstations, databases, file servers, and other
devices in order to create a behavior model for each user and entity. Any activity that deviates from this model gets flagged as abnormal and then
assessed for potential risks. This assessment of risk is directly correlated with a risk score that decides the response to the threat. The more
abnormal the behavior, the higher the risk score. Moreover, the IT administrator can look into the issue from a dashboard, and take action if
needed.

UEBA complementary to SIEM

Security information and event management (SIEM) is an essential technology that relies on rules to analyze data while providing real-time
insight into data patterns and trends. Because of these rules, skilled adversaries can usually find a way to get around them. And so, UEBA is a
complementary tool to SIEM as it looks at employee behavior and is not rule-based. Instead, it uses advanced algorithms to detect risky
anomalies that would be otherwise difficult to see in your SIEM. The best practice is to use a mix of both. Your network is safer when you
combine both UEBA and SIEM. As you can se the difference between SIEM and UEBA in the following figure 1.8.

Fig 1.8: Cycle of incident response

UEBA benefits organizations and security analysts

By integrating UEBA with SIEM, you can increase the number of security use cases you cover. While UEBA provides insider threat detection, it
can uncover both external attacks that have penetrated an organization’s perimeter and internal behaviors that may be threatening to company
operations. UEBA also improves the effectiveness of existing security tools, supports entity monitoring, and helps organizations comply with
industry regulations.
The behavioral analytics built into UEBA provides the answer to the question:
What is normal, and what is abnormal?
Without UEBA, analysts need to create complicated, predefined rules to define what is permitted. Since every individual in your organization
has different habits, it would become a long list, especially if you employ hundreds of staff. And worse yet, it will never be definitive.
With UEBA, analysts gain the support of machine learning to track all users and entities and help determine what to look for. The powerful
result is that UEBA provides analysts situational awareness before, during, and after responding to incidents.

Key benefits of UEBA:

• Automated threat detection: Using machine learning and behavioral analytics, enterprises can reduce the effect of the shortage of
security analysts and optimize existing resources in threat detection. This includes detecting compromised accounts, brute force attacks,
changes of permission, the creation of privileged users, and the breach of protected data.
• Reduced risk: Compromised user accounts provide cybercriminals with internal access to your network, resulting in loss or damage.
Early detection of compromised credentials is essential in mitigating risk and data loss.
• Reduced mean time to respond (MMtR): UEBA uses high-fidelity risk scoring to reduce response time to attacks. The faster your
security team is aware of an intrusion, the greater their ability to control it.
• Reduced noise: Behavioral analytics help eliminate false positives. In the context of increased threat loads, false positives can be
overwhelming to a security team. Catching up on a backlog of alerts is an ongoing challenge for many security operations centers. With
machine learning support, security teams have more time and ability to focus on uncovering activities providing the most significant risk
and prioritizing responses to the most critical threats facing their organization.

1.14 Advantages of SIEM

Almost every security expert will recommend adding SIEM, and it’s not just a trend that they follow blindly. Using SIEM solutions certainly has
multiple benefits for the end-users. For instance:
➢ It will make you more insightful to spot a cybersecurity threat
The organization’s survival in the present era of cyber threats depends on how smartly they are dealing with a security issue. They need to keep an
eye on every data and traffic that is reaching and going out from their system. SIEM becomes a single source of truth for all your data and security
policies. It provides collective information in a single place and makes you more insightful.
When you have access to every security-related data, it’s easy to react and create a remedial solution. This swiftness empowers an organization so
much so that they do early detection of threats and can limit the damage.
➢ Hold over diverse security threats
As SIEM has data from all sorts of platforms or tools you use, it is very useful to spot a zero-day attack as well. It’s flexible enough to be
configured for spotting activities that can occur because of the presence of an attack instead of an attack only. This ability makes it an ideal fit to
spot zero-day threats that can reach your system via spam, anti-virus software, or firewalls. (Definition of zero-day attack: a zero-day attack is so-
called because it occurs before the target is aware that the vulnerability exists. The attacker releases malware before the developer or vendor has
had the opportunity to create a patch to fix the vulnerability.)
➢ Informative forensic analysis
The use of SIEM makes your forensic investigation so informative that you will manage to find out when, how, and where a breach happened
even if a cybersecurity solution fails. You can have detailed forensic logs that are useful in insurance claims and lawsuit handling
1.15 Limitations of SIEM
This product is a valuable aspect of any modern security infrastructure. Its capabilities can do a great deal of good for your security. However, due
to the complexity of the software, successfully deploying SIEM is not always guaranteed. In the worst-case scenario, it could end up complicating
your security environment and creating new issues.
Here are the major limitations to the system:
➢ Delayed Setup Time
Security Information and Event Management isn't instant software. Many businesses don't realize that it takes a long time to implement. There is
an extensive discovery and planning phase where objectives need to be identified. All current assets need to be accounted for, and this will require
investing in the appropriate software if not already available.
An implementation stage will include the actual deployment of SIEM systems and processes as well as thorough testing of all assumptions made
during the discovery and planning stage.
This is followed by a controlled deployment stage where all SIEM processes, procedures, and operations are rolled out over time. And it is done
gradually to guarantee seamless integrations and optimal configurations.
Taking all that into account, it usually takes several months to install SIEM that works effectively. A lack of adequate planning and coordination at
the start will negatively impact the bottom line.
➢ The Need for Specialized Staff
Although many of the SIEM processes are fully automated, it still requires skilled analysts for configuration and optimization. SIEM deployments
can require as many as eight full-time security analysts to enable it to run effectively. With the shortage of experienced security specialists,
businesses have a hard time sustaining SIEM deployments.
Furthermore, SIEM technology provides alerts of security threats in real-time, and taking advantage of this feature requires round-the-clock
monitoring. This only compounds the staffing problem because regular employees do not have the required training to keep up with the technical
processes. As a result, many departments experience burnout not long after deployment.
➢ A Never-Ending Improvement Phase
The work is never really complete with SIEM processes. After the initial deployment then comes a continuous improvement phase of monitoring
and fine-tuning the system.
There is always a need to adapt to new security policies and compliance procedures. Besides, organizational structures do not remain constant, and
even small-scale changes could cause a ripple effect throughout the entire business. In that scenario, SIEM will have to be optimized to
accommodate the changes and maintain effective security performance. This continuous maintenance implies continuous costs, bringing us to the
next limiting factor of SIEM.
➢ Cost of Maintenance
Although relatively new, SIEM software accounts for over $2 billion of global spending on enterprise security. Annual costs for a business
running the application can go from tens of thousands to over $100,000, depending on the size of the organization. This includes software and
hardware costs, as well as personnel costs to implement, manage and monitor the system.
Hiring skilled talent doesn't come cheap, and in-house training of employees entails more spending. It's no wonder that small companies choose
not to invest in it at all. Going down the path of SIEM integration will add to a business's list of things to manage. For this reason, deciding
whether to deploy SIEM is a complex matter that requires a review of your current security posture and a long-term commitment. Many
organizations find their progress stalled or abandoned midway.

1.16 Conclusion