WEBVTT 1 00:00:00.110 --> 00:00:01.170 In this lesson, 2 00:00:01.170 --> 00:00:04.410 we will learn about SIEM Data Management. 3 00:00:04.410 --> 00:00:07.311 A Security Information and Event Management 4 00:00:07.311 --> 00:00:11.727 or SIEM platform collects, analyzes, 5 00:00:11.727 --> 00:00:16.727 and correlates security event data from various sources 6 00:00:16.800 --> 00:00:21.750 to detect and respond to potential threats in real-time. 7 00:00:21.750 --> 00:00:24.488 SIEM data management includes organizing 8 00:00:24.488 --> 00:00:27.570 and maintaining security event data 9 00:00:27.570 --> 00:00:32.570 for effective analysis, detection, and long-term storage. 10 00:00:32.760 --> 00:00:34.550 SIEM data management concepts 11 00:00:34.550 --> 00:00:39.550 include data from non-reporting devices and data retention. 12 00:00:40.260 --> 00:00:44.550 Non-reporting devices refer to systems or endpoints 13 00:00:44.550 --> 00:00:48.720 that fail to send logs or data to the SIEM. 14 00:00:48.720 --> 00:00:51.670 Next, data retention policies determine 15 00:00:51.670 --> 00:00:55.650 how long security event data is stored, 16 00:00:55.650 --> 00:00:57.967 ensuring compliance with regulations 17 00:00:57.967 --> 00:01:01.620 and assisting in forensic analysis. 18 00:01:01.620 --> 00:01:05.029 Let's learn more about data from non-reporting devices 19 00:01:05.029 --> 00:01:07.530 and data retention. 20 00:01:07.530 --> 00:01:11.940 First, we have data from Non-reporting Devices. 21 00:01:11.940 --> 00:01:15.106 Non-reporting Devices are systems or endpoints 22 00:01:15.106 --> 00:01:17.850 that fail to send their logs 23 00:01:17.850 --> 00:01:21.720 or security event data to the SIEM system. 24 00:01:21.720 --> 00:01:24.930 This can happen due to misconfigurations, 25 00:01:24.930 --> 00:01:28.335 connectivity issues, or hardware failures. 26 00:01:28.335 --> 00:01:30.870 In an enterprise environment, 27 00:01:30.870 --> 00:01:34.925 if a device such as a firewall, intrusion detection system, 28 00:01:34.925 --> 00:01:39.210 or server stops sending data to the SIEM, 29 00:01:39.210 --> 00:01:42.476 it creates a blind spot that could allow security threats 30 00:01:42.476 --> 00:01:44.820 to go unnoticed. 31 00:01:44.820 --> 00:01:47.940 This is to say that the absence of logs 32 00:01:47.940 --> 00:01:50.250 from non-reporting devices 33 00:01:50.250 --> 00:01:53.275 weakens the organization's security posture 34 00:01:53.275 --> 00:01:55.918 because potential threats could occur 35 00:01:55.918 --> 00:01:59.160 without triggering any alerts. 36 00:01:59.160 --> 00:02:03.870 So, SIEM systems help address non-reporting devices 37 00:02:03.870 --> 00:02:06.759 by monitoring the flow of incoming data 38 00:02:06.759 --> 00:02:09.360 and identifying gaps. 39 00:02:09.360 --> 00:02:13.636 For example, a SIEM can be configured to raise an alert 40 00:02:13.636 --> 00:02:16.770 when it detects that a network device, 41 00:02:16.770 --> 00:02:19.760 such as a firewall has stopped sending logs 42 00:02:19.760 --> 00:02:22.920 after a certain period of time. 43 00:02:22.920 --> 00:02:25.256 This allows security teams to investigate 44 00:02:25.256 --> 00:02:27.960 and resolve the issue 45 00:02:27.960 --> 00:02:32.400 before the lack of data creates vulnerabilities. 46 00:02:32.400 --> 00:02:36.330 Additionally, the SIEM may implement heartbeat checks 47 00:02:36.330 --> 00:02:38.260 to regularly ensure that devices 48 00:02:38.260 --> 00:02:42.180 are still connected and sending data. 49 00:02:42.180 --> 00:02:47.180 Overall, the benefit of monitoring non-reporting devices 50 00:02:47.190 --> 00:02:49.440 in an enterprise network 51 00:02:49.440 --> 00:02:52.920 is that it ensures continuous visibility 52 00:02:52.920 --> 00:02:56.040 into all systems and endpoints. 53 00:02:56.040 --> 00:02:59.324 By identifying when a device stops reporting, 54 00:02:59.324 --> 00:03:01.715 security teams can quickly respond 55 00:03:01.715 --> 00:03:06.715 to potential technical issues and prevent security gaps. 56 00:03:07.290 --> 00:03:12.150 This reduces the risk of missing important security events. 57 00:03:12.150 --> 00:03:15.330 Second, we have Data Retention. 58 00:03:15.330 --> 00:03:19.800 Data Retention refers to the policies and practices 59 00:03:19.800 --> 00:03:23.370 surrounding how long a SIEM system stores 60 00:03:23.370 --> 00:03:25.500 collected event data. 61 00:03:25.500 --> 00:03:27.720 In an enterprise environment, 62 00:03:27.720 --> 00:03:31.410 security event logs can accumulate quickly, 63 00:03:31.410 --> 00:03:33.360 making it necessary to manage 64 00:03:33.360 --> 00:03:38.360 how long this data is retained to comply with regulations, 65 00:03:38.460 --> 00:03:40.980 support forensic investigations, 66 00:03:40.980 --> 00:03:43.710 and optimize storage usage. 67 00:03:43.710 --> 00:03:47.026 Retaining data for the appropriate amount of time 68 00:03:47.026 --> 00:03:49.399 also ensures historical records 69 00:03:49.399 --> 00:03:53.550 that could be valuable during incident investigations 70 00:03:53.550 --> 00:03:56.820 or audits are available if needed. 71 00:03:56.820 --> 00:04:00.570 However, storing data for too long can consume 72 00:04:00.570 --> 00:04:03.360 huge amounts of storage resources 73 00:04:03.360 --> 00:04:07.545 and create compliance risks if not managed properly. 74 00:04:07.545 --> 00:04:10.377 A SIEM system manages data retention 75 00:04:10.377 --> 00:04:13.740 by implementing retention policies 76 00:04:13.740 --> 00:04:18.030 based on regulatory and organizational requirements. 77 00:04:18.030 --> 00:04:21.240 For example, in the healthcare industry, 78 00:04:21.240 --> 00:04:23.965 a company might need to retain security logs 79 00:04:23.965 --> 00:04:26.548 for at least seven years to comply 80 00:04:26.548 --> 00:04:28.851 with the Health Insurance Portability 81 00:04:28.851 --> 00:04:32.100 and Accountability Act or HIPAA. 82 00:04:32.100 --> 00:04:36.390 So, the SIEM system can be configured to store logs 83 00:04:36.390 --> 00:04:39.172 related to patient data or system access 84 00:04:39.172 --> 00:04:42.240 for this full seven-year period, 85 00:04:42.240 --> 00:04:44.400 while less critical logs, 86 00:04:44.400 --> 00:04:47.730 such as routine application performance logs 87 00:04:47.730 --> 00:04:51.060 might only be retained for 90 days. 88 00:04:51.060 --> 00:04:54.013 To do this, the SIEM can automatically archive 89 00:04:54.013 --> 00:04:56.796 or delete logs once they reach the end 90 00:04:56.796 --> 00:05:00.600 of their designated retention period. 91 00:05:00.600 --> 00:05:05.563 Additionally, some SIEMs, such as Splunk or IBM's QRadar 92 00:05:06.420 --> 00:05:09.800 allow organizations to set different retention periods 93 00:05:09.800 --> 00:05:12.930 for specific types of data. 94 00:05:12.930 --> 00:05:16.995 For instance, logs related to financial transactions 95 00:05:16.995 --> 00:05:19.243 might be stored for five years 96 00:05:19.243 --> 00:05:22.170 to comply with the Payment Card Industry 97 00:05:22.170 --> 00:05:26.160 Data Security Standard or PCI DSS, 98 00:05:26.160 --> 00:05:28.699 while logs from non-critical services 99 00:05:28.699 --> 00:05:31.860 could be deleted after one year. 100 00:05:31.860 --> 00:05:34.423 This ensures that critical data is available 101 00:05:34.423 --> 00:05:38.520 for long-term investigations or audits, 102 00:05:38.520 --> 00:05:41.910 while the SIEM efficiently manages storage 103 00:05:41.910 --> 00:05:46.410 by removing non-essential logs over time. 104 00:05:46.410 --> 00:05:49.080 Overall, in enterprise networks, 105 00:05:49.080 --> 00:05:51.330 data retention policies 106 00:05:51.330 --> 00:05:55.618 ensure that security teams have access to historical logs 107 00:05:55.618 --> 00:06:00.618 when needed for forensic analysis or compliance audits. 108 00:06:01.260 --> 00:06:03.510 This is because retaining logs 109 00:06:03.510 --> 00:06:05.760 for an appropriate amount of time 110 00:06:05.760 --> 00:06:09.030 helps security teams investigate incidents, 111 00:06:09.030 --> 00:06:12.420 trace back events leading up to an attack, 112 00:06:12.420 --> 00:06:16.710 and demonstrate compliance with industry regulations. 113 00:06:16.710 --> 00:06:18.861 Also, proper data retention 114 00:06:18.861 --> 00:06:22.335 helps manage storage capacity efficiently, 115 00:06:22.335 --> 00:06:26.066 ensuring that the SIEM system can continue to operate 116 00:06:26.066 --> 00:06:30.090 without being overwhelmed by excessive data. 117 00:06:30.090 --> 00:06:35.090 So, remember, a Security Information and Event Management 118 00:06:35.520 --> 00:06:39.480 or SIEM system collects, analyzes, 119 00:06:39.480 --> 00:06:43.080 and stores security event data to detect 120 00:06:43.080 --> 00:06:46.830 and respond to threats in real time. 121 00:06:46.830 --> 00:06:49.583 SIEM data management involves handling data 122 00:06:49.583 --> 00:06:52.500 from Non-reporting Devices, 123 00:06:52.500 --> 00:06:55.560 which are systems that fail to send logs, 124 00:06:55.560 --> 00:06:59.280 creating potential blind spots in security monitoring. 125 00:06:59.280 --> 00:07:03.240 The SIEM system addresses this by monitoring data flows 126 00:07:03.240 --> 00:07:07.830 and alerting teams when devices stop reporting. 127 00:07:07.830 --> 00:07:11.880 Next, data retention is another key concept 128 00:07:11.880 --> 00:07:15.820 where SIEMs follow policies to store event data 129 00:07:15.820 --> 00:07:18.023 for a defined period, 130 00:07:18.023 --> 00:07:20.730 ensuring compliance with regulations 131 00:07:20.730 --> 00:07:23.640 and supporting investigations. 132 00:07:23.640 --> 00:07:28.640 So, by managing data retention and non-reporting devices, 133 00:07:29.040 --> 00:07:33.180 SIEMs help maintain continuous security visibility 134 00:07:33.180 --> 00:07:36.003 and optimize storage efficiently.