Design and Implementation of Security Incident and Event Management (SIEM) Solution
Computer networks produce a huge amount of security log data. Handling this log data is impossible without using Security Information and Event Management Systems (SIEM) to centralize the log management and increase the level of information security and data protection in the organizatio
2025-06-28 16:31:44 - Adil Khan
Design and Implementation of Security Incident and Event Management (SIEM) Solution
Project Area of Specialization Cyber SecurityProject SummaryComputer networks produce a huge amount of security log data. Handling this log
data is impossible without using Security Information and Event Management
Systems (SIEM) to centralize the log management and increase the level of
information security and data protection in the organization. A log is a record of
events occurring within an organization's systems and networks.Logs are
composed of log entries; each entry contains information related to a specific event
that has occurred within a system or network. Logs are also useful for supporting
internal investigations and identifying operational trends and long-term problems.
Security information and event management (SIEM) software gives
enterprise security professionals both insight into and a track record of the
activities within their IT environment. SIEM technology has been in existence
for more than a decade, initially evolving from the log management discipline.
It combined security event management (SEM) – which analyzes log and
event data in real time to provide threat monitoring, event correlation and
incident response – with security information management (SIM) which
collects, analyzes and reports on log data. The underlying principles of every
SIEM system is to aggregate relevant data from multiple sources, identify
deviations from the norm and take appropriate action. For example, when a
potential issue is detected, a SIEM might log additional information, generate
an alert and instruct other security controls to stop an activity’s progress.
Security Information and Event Management (SIEM) systems has become today a
crucial and essential component of complex enterprise networks.SIEM is needed by the companies to gather information in one
place to avoid bind spots and detect suspicious behavior and problems
before they become breaches. Companies also need SIEM to monitor
corporate policies. Most of the technology companies have proposed SIEM
solutions like ArcSight, IBM Qradar etc. but those organizations who need
SIEM solution for the security of their network, the requirements for their
security may be different for their real time threat monitoring, for them SIEM
needs to customize according to their requirement. In Commercial SIEM products, our data is also not safe because it is the product of foreign through which our security is on risk beacuse they can spy us and exploit us anytime. Our country Pakistan has not our own SIEM product, so our aim is to make our country or SIEM product.
It will be capable of performing deep packet inspection to build a profile of probable and improbable DNS payloads. After visualizing, normalizing and conducting pattern searches, we will have a shortlist of the most likely threats present in DNS traffic.
We will give an IP address to it and it will gather all the characteristics about the communication associated with the given IP address. It will build a timeline of the conversations that originated with the given IP address.
It will build a model of machines on the network and their communication patterns. The connections between the machines that are with lowest probability will be visualized and searched for known patterns. The result of this will be threat patterns in the data.
As the threat is investigated, a dashboard will give quick answers to the questions you already know to ask.
It will have open data models for network, endpoint and user, providing a standard format of enhanced event data that makes it easier to integrate cross application data to gain complete visibility and develop new analytic functionality. It will also help organizations to quickly share new analytics with one another as new threats are discovered.
Project Implementation MethodWe are implementing siem solution by using open source technologies to make our own architecture. By using open source technology, our siem will input logs from beats, proxy logs, dns logs to show all the records of events.
Beats will send the logs to Apache Kafka and Apache Kafka will send the logs to logstash which is data collection engine with real-time pipelining capabilities.
After that logstash will send the data to elasticsearch.
After that ES-Hadoop will be used which is stand-alone, self-contained, small library that allows Hadoop jobs (whether using Map/Reduce or libraries built upon it such as Hive, Pig or Cascading or new upcoming libraries like Apache Spark ) to interact with Elasticsearch.
Apache Spark library GraphFrames which will provide DataFrame-based Graphs.
After that Kibana will be used for Interface of SIEM.
Benefits of the ProjectThe SIEM solution which is being used by many organization is provided by IBM Qradar and other commercial SIEM siem is not our own product. Our organization's data is not secure because depends upon IBM. we are making our own country's Siem solution which will be secure enough for all organizations and if our siem makes any error or mistake, we will provide our service and support to resolve all the errors.
Companies also need SIEM to monitor
corporate policies. Most of the technology companies have proposed SIEM
solutions like ArcSight, IBM Qradar etc. but those organizations who need
SIEM solution for the security of their network, the requirements for their
security may be different for their real time threat monitoring, for them SIEM
needs to customize according to their requirement. In Commercial SIEM products, our data is also not safe because it is the product of foreign through which our security is on risk beacuse they can spy us and exploit us anytime. Our country Pakistan has not our own SIEM product, so our aim is to make our country or SIEM product.
It will help organizations to run analytics against comprehensive historic datasets allowing organizations to identify past threats that have been slipped through the cracks. With this capability it will give security professionals ability to collaborate like cybercriminals do.
It will increase detection capabilities by correlating events across hosts. By gathering events from hosts across the enterprise, a SIEM system can see attacks that have different parts on different hosts and then reconstruct the series of events to determine what the nature of the attack was and whether or not it succeeded.
It will ingest threat intelligence data from trusted external sources. If there is any activity involving known malicious hosts, it can then terminate those connections.
It will significantly increases the efficiency of incident handling, which in turn saves time and resources for incident handler.
It will provide automated mechanisms to stop attacks that are still in progress and to contain compromised hosts.
Final Deliverable of the Project Software SystemType of Industry IT Technologies Artificial Intelligence(AI), Big DataSustainable Development Goals Industry, Innovation and InfrastructureRequired Resources| Item Name | Type | No. of Units | Per Unit Cost (in Rs) | Total (in Rs) |
|---|---|---|---|---|
| Total in (Rs) | 70000 | |||
| CPU-1 with 32 GB RAM | Equipment | 1 | 35000 | 35000 |
| CPU-2 with 32 GB RAM | Equipment | 1 | 35000 | 35000 |