Data is a raw material, which is often unstructured, extracted in massive quantity, and requires processing before calling it an information and actionable intelligence. A good example is the Indicators of Compromise (IoCs). A big list of domain names or IP addresses can be ingested into the SIEM system to identify whether this list contains any malicious IP or not. If any suspicious IP is detected, then we can term this data as an actionable intelligence which has been evaluated from reliable sources, processed and enriched. Now, it can be used to identify trends, attack profile, and possible threats. In this article, we will see how data is gathered, processed, and act as an actionable delivery.
Prior to 2005, there used to be quite a debate over Security Information Management (SIM) and Security Event Management (SEM). This debate was ended for once and all by Amrit Williams and Mark Nicollet of Gartner when they defined SIEM – Security Information Event Management in 2005.
Gone are the times when endpoint protection was limited to installing an anti-virus and expecting a reasonable level of protection. With the introduction of Bring Your Own Device (BYOD) and increasing number of IoT devices, there are more endpoints than ever and so are the security threats associated with them.