SIEM – A Detailed Explanation
SIEM products and services combine Security Information Management (SIM) and Security Event Management (SEM). SIEM is sold as software and is used to log security data or to generate reports for different compliance purposes.
SIEM has evolved from a few different technologies that came before this one.
The list includes:
- SLM/SEM (Security Log/Event Management) that has been generated towards security analysts. It is more about differentiating what is important when it comes to log entries as far more important to security.
- SEC (Security Event Correlation) – if three failed login attempts happen from three different clients, for example, this is a sequence of events that need to be examined using Log Correlation so that the alerts could be raised when this happens.
- SIM (Security Information Management) – sort of an Asset Management system but with different features to join the certain security information.
- SIEM (Security Information and Event Management) – this is the product that combines all of the above mentioned.
What does exactly the SIEM offer?
- Data aggregation: cumulating data from many sources, including servers, applications, databases, security, etc. It provides the ability to centralize the data to help not to miss the important events.
- Alerting: this is the automated analysis of events and alerts, in order to tell the recipients of immediate issues. It can be a dashboard.
- Correlation: it links similar events together into meaningful bundles. It turns data into useful information. It is usually a function of Security Event Management.
- Compliance: the applications automate the gathering of data and produce reports that are adapted to existing security.
- Dashboards: it takes event data into informational charts in order to see patterns, or to differentiate a non-standard pattern.
- Forensic analysis: this is the ability to search across logs on different nodes based on specific criteria.
- Retention: long-term storage of data to see correlation over time.
The most frequent question is: how does the SIEM work?
It collects data from the devices and even Net Flow of raw packets, then with the collected data, it provides an insight into the happenings of the network.
When it provides the data for the event occurring in the networks, it sorts of acts as a centralized security monitoring system. It can also be managed in order to recognize the specific incident.
There is something called Log Collection that is the center of a SIEM – the more logs are sent to the SIEM – the more can be done with it. Those logs are used in order for content to be understood within the content of somebody’s business. Their true value is to correlate in getting actionable information. What does a Log Record cover? Here is a list: Error conditions, Configuration changes, Policy Changes, Incident Alerts, Unauthorized use of resources, User behavior patterns, Clearing of the sensitive data, etc. There are two ways in which are Logs fetched to the SIEM: Agent-based and Non-agent based.
There are some ingredients that you will need in order to have a good SIEM Deployment, and those include:
Logs and Alerts: Intrusion Detection Routers, Data Loss Prevention, Endpoint Security, VPN Concentrators, Web Filters, Honeypots Databases, Firewalls Intranet Applications.
Infrastructure Information: Configuration, Locations, Owners, Network Maps, Vulnerability Reports.
The benefits of using SIEM include: increased efficiency, reducing the impact of security breaches and also reducing costs, IT compliance, log analysis and also preventing potential security threats.
Identifying the breaches in the early stages ensures that certain organization suffers only minor impact or none at all.
The SIEM market has several dominant vendors based on worldwide sales, specifically IBM, Splunk and HPE, also Intel, LogRhythm, Micro Focus, Trustwave.
The main reason why the companies need SIEM systems is to monitor logs and report any malicious events because most organizations generate far too much event data that is impossible for any human to be able to make sense of it.
A SIEM’s ability to filter through all the data and only surface the most dangerous security issues is a major difference – it makes security more manageable. A SIEM also plays an important role in several compliance regulations.
Many companies only use the threat intelligence feed or feed that is included with the SIEM product. However, commercial feeds from third parties are also available. It is valuable because research shows that their content does not overlap to a high degree. If the SIEM has more information about security threats, the more likely it is to detect them.
Many SIEM systems go beyond the basics to incorporate advanced features and capabilities. Two, in particular, are User and Entity Behavior Analytics (UEBA) and Security Orchestration Automation and Response (SOAR).
UEBA works on a principle that if a user usually logs in every weekday between 9 a.m. and 9.30 a.m. and logs off around 5 p.m. it would be very suspicious if he starts logging in at 3 a.m. and from a highly risky IP address.
SOAR, on the other hand, heralds the next-generation of SIEM systems, with the advanced ability not only to issue alerts but to respond by carrying out actions to mitigate the threat automatically.
To sum this up, SIEM allows IT teams to collect security event data from multiple sources in one place. There may be a time when an alert from an antivirus filter may not trigger panic, but then the traffic anomaly alerts are received so it could signify the breach in the progress. When the SIEM collects all of these alerts it allows fast and thorough analysis.