Exploring SDN and SIEM Integration
A SIEM (Security Information and Event Management) is a tool used to aggregate, normalize, correlate, and present event log data and network flow traffic from endpoint machines, servers running critical business services, antivirus appliances, network infrastructure components, and more. Software-Defined Networking (SDN) allows the separation of the control plane and the data plane in network devices, giving control of network flow routing to a centralized controller. While a SIEM provides a high level of visibility, it can take more time than is optimal for the user to take appropriate action based on their findings. This project uses enterprise-class switches, IBM QRadar SIEM, and OpenDaylight Nitrogen to see how integration between SDN and SIEM could be used to improve network metrics being measured by the SIEM and allow for user-configured automated network-level responses to detected anomalies in the event logs or network flows. The implementation of such responses could, for example, reduce the need to spend crucial time relaying quarantine orders between appropriate teams for hosts that are known to be infected with malware. This could result in cutting off the spread of the malware upon detection. If automation is not an option, then this same integration could be used to allow one-click options for the same actions in the SIEM interface. The end result is the same - reduced response time to potentially critical threats.