Employing Replay Connectors for SIEM Operator Education

Abstract : Security Information and Event Management (SIEM) solutions are a critical information systems security control for monitoring, assessing, and reacting to cyber threats in near real-time. A given SIEM solution, however, is not a simple plug-and-play, drop-in, security device. On the contrary, a successful implementation requires configuration tailored to the specifics of a target network, as well as operators who are very knowledgeable of both the SIEM's functionality and the characteristics of network/data-center events. This thesis will lay the framework for SIEM operator education via use of pre-captured network/data-center events (i.e., network traffic and device log information). The desired outcome is a repeatable framework that can be utilized by organizations interested in deploying more technically savvy SIEM operators. The framework will be empirically demonstrated with a SIEM learning lab developed for HP's ArcSight SIEM.