Security Information and Event Management (SIEM) solutions are programs aimed at gathering, analyzing and processing activities’ logs that are within organization’s system. The system contains logs documenting the user activity and system modifications; reviewing this information becomes easier with the help of SIEM tools, which create notifications for specific threats, risks, and vulnerabilities. Instead of analyzing thousands of logs and alerts, analysts use SIEM tools when showing them promising security incidents. SIEM tools also contain dashboards with data presented in forms that can be easily analyzed; the layout and functions of such are dependent on the tool that is being used. Thus, organizations can select between the on-premise SIEM and the cloud-hosted SIEM based on such factors as the competence of the security team. It is also worth to note that cloud–hosted versions are usually easier in terms of setup and tweaking and that is why are better suited for less technical teams.

Packet sniffers, also known as network protocol analyzers, are used in capturing and analyzing the traffic that is in a network. What they do is collect all interactions, which take place, so that it is easier for security teams to establish deviations, analyze the problems with the network or search for breaches. These tools are very important when it comes to capturing and analyzing data traffic as well as in studying security incidences.

A playbook is essentially a documentation of certain processes that are to be followed within an organization, for instance procedures on how to deal with a given security breach. These give procedural directions to make certain that the analysts perform various tasks legally in case of investigations. For instance, in forensic investigation process after a breach, documents such as the ‘chain of custody’ are playscripts that dictate how the evidence is handled and documented to ensure that it stays ‘chain of custody’. Another of the playbooks is “Protecting and Preserving Evidence”, which is all about dealing with evidence that may well be lost for good if the device’s power button is pressed. Another consideration is the handling of evidence, and particularly how it can be protected from contamination; this can be achieved through copying of data as required. They guarantee that investigations are well done, that the evidence will not be tampered with, and that certain policies are complied with.