Performance Analysis of Security Information and Event Management Solutions Detecting Web-Based Attacks

Abstract

With rising trends and forms of web application attacks such as SQL Injection, cross-site scripting and the likes, most organizations today deploy a security information and event management solution as a proactive measure for threat management to get a centralized view of the network security posture and for advanced reporting of incidents. The days of relying merely on perimeter controls are elapsed; it is no longer enough to just rely on firewalls, Intrusion Detection Systems, Intrusion Protection systems and antivirus alone. Security information and event management systems have become a crucial and essential component of complex enterprise networks. They typically aggregate and correlate incidents from different systems and platforms, and carry out a rule-based analysis to detect advanced threats. This paper detects, evaluates and analyzes the performance of various SIEM detecting web based attacks, noting the time of report of attack and behavioral patterns of each SIEM. An attack simulation experiment is performed on different SIEM tools to demonstrate the capabilities of SIEM in detecting any suspicious behavior of event logs and alerting the attacks in near real-time, then the best tool is recommended based on its ability to collect, filter, normalize, correlate, alert, and report attacks within minutes after attack incidents.