Security information and event management (SIEM, pronounced “sim”) systems combine the features and functionality of two existing security systems:
- Security Information Management (SIM): Log data collection, analysis, and report generation
- Security Event Management (SEM): Event correlation, threat detection, and incident response from log and event data
By combining the functions of SIM and SEM, SIEM becomes a single solution for collecting and analyzing log and event data to identify trends, anomalies, vulnerabilities, and security incidents. It can also support security personnel in responding to these incidents.
SIEM systems are available in a variety of different form factors.
An organization can purchase a SIEM as a physical appliance, as a virtualized appliance hosted either on-prem or in the cloud, or as a managed service.
How Does a SIEM Work?
A SIEM performs data analytics on enterprise security data. It consumes a mass of alert and event data and distills it into a collection of curated and prioritized alerts for further investigation.
SIEMs accomplish this transformation through these four steps:
- Data Collection: A SIEM’s effectiveness depends heavily on the data that it has access to. SIEMs will automatically ingest log and event data from across an organization’s IT infrastructure and store this data for analysis and historical lookbacks.
- Data Normalization: The data that SIEMs ingest and store comes from a variety of different places and is stored in multiple different formats. The SIEM system automatically normalizes the data that it receives and aggregates different data sources to provide more contextual information for different events.
- Data Analysis: SIEM systems process the data that they collect using a collection of predefined rules and data analytic techniques. This enables it to identify both known threats – such as malware matching a signature or a series of failed login events – and anomalies or trends that may indicate an attack.
- Alert Generation: Based on its analysis of the collected data, a SIEM can generate alerts to notify the security team about potential incidents and attacks. The SIEM can help security analysts to investigate a potential incident by providing responses to queries or additional analysis on request.
Benefits of a SIEM Solution
Most security teams suffer from an overwhelming deluge of data. Instead of lacking visibility into their environments and insight into what is going on, they have more data than they can handle.
SIEMs fix this problem by automating the data collection and analysis process. This provides a number of benefits to an organization, including:
- Increased Efficiency: Enterprise IT infrastructure and security architectures are very complex, making manual log collection, normalization, and analysis impossible. With SIEM, all of this functionality is automated, enabling security personnel to simply query the data stored within the SIEM.
- Faster Threat Detection: SIEM solutions automatically collect, aggregate, and analyze data from across the enterprise network. This enables them to quickly identify potential security incidents and alert security personnel. By lowering time to respond, SIEMs decrease the cost and impact of successful intrusions and attacks.
- Reduced Alert Volumes: The average security operations center (SOC) sees over ten thousand alerts per day but can only effectively investigate a small fraction of them. A SIEM acts as a filter on these alerts, combining related ones and weeding out probable false positives. This enables security personnel to focus their limited time, attention, and resources on the events most likely to be actual security incidents.
- Support for Threat Hunting: Some cyberattackers successfully gain access to an organization’s systems without being detected or blocked by security solutions. To identify and remediate these intrusions, security analysts need to proactively search for threats resident on their systems. SIEMs support these threat hunting efforts by collecting data that could help with identifying an intrusion, making it available to threat hunters in response to queries, and providing access to data analytic functionality.
- Improved Log Retention: Organizations may be required to retain log and event data for a certain period of time due to regulatory requirements or corporate policy. However, individually configuring every corporate system to store these logs in accordance with policy is inefficient and prone to errors. A SIEM solution can store all necessary log data in a single location where policies can be enforced and modified with minimal overhead.
- Regulatory Compliance: Companies are required to comply with a growing number of data protection regulations. A common requirement for compliance is the ability to demonstrate that sensitive data is properly protected from unauthorized access. A SIEM’s database of log and event data makes it easy to demonstrate that sensitive data has not been inappropriately accessed or to determine the scope and impact of a potential data breach.
Top SIEM Solutions
Organizations looking for a SIEM solution have a number of options to choose from.
Some of the most widely used SIEMs include:
- Splunk: Splunk is a leading SIEM solution that is available as software. It is one of the most widely used SIEM solutions, and many security products include native integrations for Splunk to support easy deployment.
- LogRhythm: LogRhythm is a great SIEM solution for smaller organizations. It is available for both on-prem and cloud-based deployments.
- Sumo Logic: Sumo Logic is a cloud-native SIEM platform. It offers a subscription-based model that allows pricing and usage to scale to an organization’s needs.
Any of these solutions can meet an organization’s SIEM needs. However, it is important to know that a SIEM is only as good as the data that it has access to.
While a SIEM may be the most visible part of an organization’s security toolkit, it needs to be fed and supported by a robust security infrastructure.
SIEM Solutions Provide Security Integration
Many organizations have deployed an array of point security products with little or no integration. This type of disaggregated and disconnected security infrastructure is difficult to monitor and operate, slowing incident detection and response.
SIEM solutions can pull data from a variety of different point security products and aggregate it into a single, usable data set. This data set can then be used to generate alerts for security personnel and for incident investigation and threat hunting.
An effective SIEM provides an organization with the best of both worlds with regard to point security products and security integration. A single solution simplifies incident detection and response, while the ability to deploy best of breed point security solutions ensures that organizations have visibility and protection for a wide range of cybersecurity threats.