What is SIEM?
The term SIEM was coined in 2005 by Amrit Williams and Mark Nicolett of Gartner as an acronym for Security Information and Event Management. The newly introduced term was actually a combination of two other acronyms describing common cybersecurity methodologies:
- Security information management (SIM) is the process of collecting, monitoring and analyzing security-related data from automatically generated computer logs.
- Security event management (SEM) is the process of centralizing computer log data from multiple sources (systems, endpoints, applications, and services) to improve detection of events and managing events through a formalized incident response process.
SIEM software tools and products combine the capabilities of SIM and SEM tools into a comprehensive solution for cybersecurity. Typical functions of a SIEM software tool include:
- Collecting, analyzing and presenting security-related data
- Real-time analysis of security alerts
- Logging security data and generating reports
- Identity and access management
- Log auditing and review
- Incident response and security operations
SIEM for Beginners
As IT organizations grow in size, they deploy more hardware and more applications which produce an ever-increasing volume of computer logs. Enterprise IT security consists of several different applications, working in tandem to protect against different types of attacks. These include malware detection applications, a network intrusion detection system (NIDS), network intrusion prevention system (NIPS), data loss protection, endpoint security applications and more.
Each of these security applications monitors a few specific types of security threats, but none of them provides 100% coverage. Your intrusion detection system can only read packets, protocols and IP addresses because its function is to detect unauthorized users or suspicious packet activity on the network. Your endpoint security can only monitor files, usernames and hosts. Meanwhile, your service logs reveal things like user logins, service activities and configuration changes.
SIEM software tools act as a management and integration layer that sits on top of your existing systems infrastructure and security software tools. SIEM software tools collect and integrate all of the computer-generated log data that is captured by each application, service, or security tool in the system, displaying the resulting data in a human readable format and facilitating real-time threat detection and event management functions.
SIEM software tools connect all of the most important security data from the applications that protect your business, enabling your organization to respond more quickly to security events.
How Do SIEM Tools Work?
SIEM tools combine all of the most important features of log management applications, SIM software tools and SEM tools into a single, robust enterprise security solution. SIEM delivers superior incident response and enterprise security outcomes through a number of key capabilities, including:
- Data collection - SIEM tools aggregate event and system logs and security data from a variety of sources and applications in one place
- Correlation - SIEM tools use a variety of correlation techniques to link together bits of data with common attributes and help turn that data into actionable information for SecOps teams
- Alerting - SIEM tools can be configured to automatically alert SecOps or IT teams when predefined signals or patterns are detected that might indicate a security event
- Data retention - SIEM tools are designed to store large volumes of log data over long periods of time, ensuring that security teams can correlate data over time and enabling forensic investigations into threats or cyber attacks that may have initially done undetected.
- Forensic analysis - SIEM tools make it easier for organizations to parse through logs that might have been created weeks or even months ago. Parsing, log normalization and categorization are additional features of SIEM tools that make logs more searchable and help to enable forensic analysis, even when there are millions of log entries to sift through.
What are SIEM Use Cases?
- SIEM and Compliance - SIEM software tools can streamline the compliance process for organizations whose industry is affected by data security and privacy compliance regulations. One example is compliance with the PCI DDS, a set of data security standards for merchants that collect credit card information from their customers. With SIEM tools, organizations can monitor network access and transaction logs within the database to verify that there has been no unauthorized access to customer data.
- SIEM and Incident Response - SIEM software tools can play an important role in increasing the efficiency and timeliness of incident response activities. When a breach is detected, SecOps teams can use SIEM software to quickly identify how the attack breached enterprise security systems and what hosts or applications were affected by the breach. SIEM tools can even respond to these attacked through automated mechanisms.
- SIEM and Vulnerability Management - Vulnerability management is an ongoing process of proactively testing your network and IT infrastructure to detect and address possible entry points for cyber attacks. SIEM software tools are an important data source for discovering new vulnerabilities, along with network vulnerability testing, staff reports, and vendor announcements.
- SIEM and Threat Intelligence - Threat intelligence can be described as the analysis of internal and external cyber threats that could affect your business. As cyber attacks become more sophisticated, there is a growing need for organizations to collaborate closely in their cyber security efforts to reduce their vulnerability to both advanced persistent threats (APTs) and zero-day threats. SIEM software tools provide a framework for collecting and analyzing log data that is generated within your application stack, but what SIEM tools do not provide is a means of proactive discovering external threats. Organizations can gather some of their threat intelligence from a SIEM software tool, but should also collaborate with others to proactively understand and address external threats.
SIEM vs Security Analytics
In the modern cloud-based computing environment, SIEM tools are no longer the best option for organizations that wish to secure their applications and IT infrastructure against cyber attackers. SIEM tools were more appropriate for monitoring the security status of large, monolithic applications, but today these have been replaced by cloud-based apps that function as a collection of frequently-updated micro-services. With micro-services being started up and retired regularly, the rules-based alert system of SIEM tools simply cannot keep up.
Organizations that previously depended on SIEM have now adopted cloud-based security analytics tools such as Sumo Logic, which offer lower implementation costs, shorter time to deployment and a more sophisticated and modern approach to enterprise security and data analysis.