SIEM - Security Information and Event Management
Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system.
The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR).
The acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:
- Log management: Focus on simple collection and storage of log messages and audit trails.
- Security information management (SIM): Long-term storage as well as analysis and reporting of log data.
- Security event manager (SEM): Real-time monitoring, correlation of events, notifications and console views.
- Security information event management (SIEM): Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.
- Managed Security Service (MSS) or Managed Security Service Provider (MSSP): The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.
- Security as a service (SECaaS): These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.
Today, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.
Some of the most important features to review when evaluating Security Information and Event Management software are:
- Integration with other controls: Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?
- Artificial intelligence: Can the system improve its own accuracy by through machine and deep learning?
- Threat intelligence feeds: Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?
- Robust compliance reporting: Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?
- Forensics capabilities: Can the system capture additional information about security events by recording the headers and contents of packets of interest?
Suppliers SIEM - Security Information and Event Management
F.A.Q about SIEM - Security Information and Event Management
Why is SIEM Important?
SIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.
As organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.
SIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.
The use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.
Evaluation criteria for security information and event management software:
- Threat identification: Raw log form vs. descriptive.
- Threat tracking: Ability to track through the various events, from source to destination.
- Policy enforcement: Ability to enforce defined polices.
- Application analysis: Ability to analyze application at Layer 7 if necessary.
- Business relevance of events: Ability to assign business risk to events and have weighted threat levels.
- Measuring changes and improvements: Ability to track configuration changes to devices.
- Asset-based information: Ability to gather information on devices on the network.
- Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.
- Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.
- Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.
- User monitoring: User activity, logging in, applications usage, etc.