Security Information and Event Management (SIEM) Definition
Security Information and Event Management (SIEM) is a term coined in 2005 by Gartner analysts. They defined it to describe a group of emerging products that combined the functionality of Security Information Management (SIM) and Security Event Management (SEM) tools. While these can be deployed separately, it is common to find them combined in SIEM technology solutions. SIEM tools and solutions use automation to collect security data from across an organization and then analyze it to spot patterns or anomalies that might be indicators of compromise.
SIEM security solutions are available in various configurations from cyber security vendors. Examples include technology-only solutions, technology solutions with administrative management services, and complete managed IT event processing and alerting services.
SIEM tools form a part of the broader set of tools available in the network and cyber security space. They provide an overall view of the network and application security. If appropriately deployed, and just as importantly managed and used correctly, a SIEM system can identify cyber-attacks, breaches, and data exfiltration events in real-time.
Organizations that have large in-house IT security teams and are interested in additional prioritization of investigations may be well-served by SIEM solutions. They do require a high level of expertise and interaction with security analysts to be effective. They are not tools that can be deployed and ignored. Note that many managed SIEM vendors require the purchase of specific technology products rather than leveraging your existing investments. Many organizations find that the overhead and resources needed to tune a SIEM deployment are significant. Many use outsourcing for business operations and are increasingly adopting the same practice for their security operations. LifeSpan Biosciences calculated the cost of operating a SIEM themselves, and then purchased Critical Insight's Managed Detection and Response (MDR) instead as a more cost-effective security monitoring solution backed by industry-leading cyber security expertise (a case study is available here).
How Does SIEM Work?
SIEM solutions have tools that perform different tasks and roles, often managed via a single console. Together they provide data aggregation and consolidation for security-related events. They then analyze this data to identify cyber threats, security issues, or potential regulatory & compliance violations. The offerings vary across vendors, but most provide the following:
Log Management - SIEM solutions capture, aggregate, and perform normalization of network and application event log data from many sources across an organization's IT infrastructure across on-premise and Cloud deployments. In addition to traditional event data, there is increasing use of flow data to get a picture of the overall state, without the overhead of full network packet capture and analysis, with the latter being an option. The data is collected from logs on user management systems, servers, network equipment (firewalls, routers, load balancers, intrusion detection systems, and other security devices), user events, cloud sessions, endpoints, and endpoint software antivirus and anti-malware tools, plus other enterprise security infrastructure. This data gives IT admin and cyber security teams a unified overview of the current state of the infrastructure.
Event Analytics - uses event correlation to group events and associated data into meaningful sets that are known to correspond to a security threat. This is done using statistical models, security analytics, and often machine learning to spot deep trends. Some solutions include User and Entity Behavior Analytics (UEBA) to analyze abnormal user behavior (like using a new IP address and multiple failed login attempts) that might indicate someone using leaked or stolen user credentials. The models and rules within SIEM systems need tuning to match the environment under protection to reduce false positives and security alert fatigue.
Monitoring - consolidate security data from across the whole IT environment in the Cloud, on-premise, and endpoints to give incident monitoring across the entire infrastructure.
Security Alerting - automate alerts on anomalies, known risks, and any suspicious behavior to let cyber security teams know in real-time of a potential or actual cyber-attack.
Threat Discovery - many SIEM solutions also allow queries to be run against historical data to search for indicators of compromise. This ability complements the real-time protections that are in place and is useful for checking for attacks that may have occurred and have been undiscovered in the past. For example, to see if newly discovered malware and their attack patterns have occurred on the network.
Intelligence Feeds - SIEM solutions can often subscribe to real-time threat intelligence feeds to allow for rapid alerting and threat detection of new and emerging threat vectors.
Compliance Management - ensure compliance requirements of regulatory frameworks such as HIPAA, SOX, PCI DSS, GDPR, CCPA, and others.
Comprehensive Dashboards - dashboards with status visualizations to show the current security posture of the network and applications. Provide C-level and other executives with an easy-to-understand overview of the current enterprise security situation and any security incidents that have occurred.
Comprehensive Reporting - working hand in hand with the dashboards, most SIEM software can provide extensive reporting. Organizations can use this for compliance reporting for regulators and auditors, and internal reporting for executives, IT teams, and other decision-makers.
What Are the Use Cases for SIEM?
There are many use cases for SIEM solutions. Typically they include those in the list below. Some of these have already been mentioned:
Security Monitoring - provide both real-time monitoring for security incidents and also long-term monitoring over time. As SIEM solutions have access to so many data sources, they are well placed to correlate this information and be the hub of an organization's security strategy and posture. Some people build a security operations center (SOC) around their chosen SIEM solution toolset if they have a dedicated in-house cyber security team.
Advanced Threat Protection - SIEM solutions bring expert-level monitoring for advanced threats. These include protections against insider threats, unauthorized data exfiltration (large data transfers are typical of the first stage of a ransomware attack), and persistent external threats that indicate that cybercriminals are targeting your organization.
Incident Response & Forensics - SIEM solutions detect and alert when an attack is progressing. built into some of the tools can often help analyze the attack type and suggest actions to stop it from progressing. Forensic analysis tools within SIEM allow historical data to be searched for past breaches and report on what the cybercriminals accessed.
Compliance & Audit Reporting - Compliance management is a core part of many organization's operations as they need to adhere to the regulations that apply to their sector. SIEM tools can ensure that IT systems are compliant. The reporting capabilities in SIEM can also help organizations prepare audit reports to demonstrate compliance and good security practices.
MDR as an Alternative to Deploying SIEM
SIEM solutions provide a lot of cyber security functionality for organizations. However, they are not an "install and forget about it" solution to the ever-increasing threat landscape and criminals targeting IT systems. SIEM systems require continual management and tweaking to keep them in optimal shape to provide monitoring and defenses. This is a full-time job for dedicated cyber security experts. It can't be a part-time role assigned to general IT staff who then do it alongside their other IT functions.
Building and retaining an expert-level cyber security team to manage a SIEM deployment is an expensive undertaking, and it can be difficult to find people to hire. If you find and hire the required experts, it can be hard to retain them as they get more experience and their value in the marketplace increases.
Some organizations have realized this and have looked to outsource their SIEM to dedicated security managed service providers. This has some benefits, but it sometimes results in a confusion of responsibilities, with no one party being “in charge,” which can lead to problematic outcomes. Additionally, with what’s being called, “co-managed SIEM,” organizations are finding a long time-to-maturity, sometimes more than a year. They continue to need highly skilled security employees in-house, as well as higher budgets.
A better and more comprehensive solution is purchasing an end-to-end managed detection and response (MDR) solution instead of a particular SIEM. Doing so places all the decision-making around tools with the experts in the MDR provider, as well as the task of configuring, monitoring, and analyzing all events and security incidents that occur. Critical Insight’s Managed Detection and Response solution is the ideal hassle-free alternative to self-hosted or managed service SIEM. And, Critical Insight provides Incident Response services should you need it to respond to an attack