SIEM Guide

What is SIEM?

Computers, network and security devices, and the applications that run on them generate records called logs that consist of a series of messages in time-sequence that describe activities going on within the system or network. Log data represents the digital footprints of activities that occur within the network or system. These data may be streamed to a central platform which can be reviewed to detect anomalous activities.

A Security Information and Event Management (SIEM) provides a single centralized platform for the collection, monitoring, and management of security-related events and log data from across the enterprise. Because a SIEM correlates data from a wide variety of event and contextual data sources, it can enable security teams to identify and respond to suspicious behavior patterns more effectively than would be possible by looking at data from individual systems.

The term SIEM was coined in 2005 by two Gartner analysts Mark Nicolett and Amrit Williams when they proposed a new security information system that combines the legacy Security Information Management (SIM) and Security Event Management (SEM). SIEM developed out of a necessity to deal with the barrage of alerts from events emanating from network security infrastructures such as firewalls, endpoint security, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), wireless access points, and other network devices that were overwhelming the IT department. By helping organizations to aggregate and better analyze events inside the network, SIEM helps them improve threat detection.

How Does SIEM Work

SIEM software works by gathering log and event data generated by various network and security devices and applications such as IPS/IDS, firewalls, and antivirus applications within the organization, pulling them together into a single centralized platform. It then analyzes and sorts the collected data into various groups or classifications such as failed logins, logins from unexpected regions or IP, port scans, exploit attempts, and other malicious activities.

When an anomaly is found, the software triggers an alert and defines a threat level based on predetermined rules. For example, someone trying to log into an account from an unusual location or IP address might be flagged as an anomaly. By monitoring a SIEM, security, and incident response teams can spot activities that could identify malicious activities. The SIEM is able to identify potential threats based on correlations of miscellaneous security-related events, which by themselves wouldn’t necessarily provide attack indicators.

The security incident response team will determine the plausibility of the identified threats, and where necessary commence remediation measures. The SIEM application supports security teams in two main ways:

  • Produce reports on security-related incidents and events, such as successful and failed logins, malware activity, and other possibly malicious activities.
  • Send alerts if analysis shows that an activity runs against set baselines and rules and thus indicates a potential security issue.
Overview of SIEM solution key capabilities
Figure 1.0 Overview of SIEM solution key capabilities

Why is SIEM Important?

Security is achieved via a combination of prevention, detection, and response efforts. Today’s cyber attacks have become much more sophisticated than ever. Prevention is where we first saw mass-market security products and services. The traditional methods of preventing attacks such as firewalls and antivirus are no longer enough. Nowadays, most security failures are more of detection and response than prevention. Intrusion Detection and Prevention Systems (IDS/IPS) alone won’t be able to detect or prevent potential attacks, which is why a SIEM is so essential. A SIEM solution is a great way for organizations to manage their cybersecurity issues, especially in the following  areas:

Incident detection: A SIEM solution uses correlation techniques and behavior analytics to detect threats and malicious activities in a network. It analyzes the log entries from a variety of sources to unravel incidents that otherwise can go unnoticed. Moreover, since it gathers events from sources across the network, the system can correlate and reconstruct the security events and log entries to identify signs of malicious activity.

While a network IPS/IDS, firewalls, or antivirus might detect and prevent some malicious activities and attacks, a SIEM system can determine if, for example, a host on a network was infected with a spambot which then caused it to send unsolicited bulk email spam messages. A SIEM is focused on detecting activities associated with an attack rather than the attack itself. If the SIEM detects any activity involving a known threat, it can then take action by communicating and directing other network security devices, such as firewalls to block or terminate those malicious activities to proactively prevent an attack from occurring. This significantly improves the efficiency of incident handling.

Insider threats mitigation: Conventional security measures tend to focus more on external threats. But there are also malicious threats that emanate from inside the organization. It is called an insider threat. Insider threats can prove even more difficult to detect or predict than external threats.

The good news is that SIEMs can be configured to monitor and keep a continuous record of user behaviors, privileged and service accounts usage patterns, among others, and create alerts. This is made possible via a modern technique called User and Entity Behavior Analytics (UEBA). UEBA works by aggregating data about the behaviors of users which can then be analyzed for anomalies based on established baselines. Any deviation from established baselines can trigger an alert so your security team can investigate.

Regulatory compliance: Regulatory compliance is a big deal in business. Companies spend money where auditors and regulators compel them to, and failing compliance audits could attract hefty fines. It is a necessary but often complicated component of modern business. While the primary purpose of SIEM is to improve threat detection and incident response capabilities, SIEMs can be critically important in helping organizations meet regulatory requirements such as PCI DSS, FISMA, GLBA, SOX, HIPAA, and ISO 27001, and to establish proof that they are doing so.

With SIEMs, for example, organizations can easily streamline compliance reporting efforts through centralized logging. Each host that needs to have its logged security events included in reporting regularly transfers its log data to a SIEM server. A single SIEM server receives log data from many devices on the network and can generate rich customized reports that address all of the relevant information required by the various regulatory bodies.

Data collection and analytics: As organizations scale up their network infrastructure, the chances of losing complete visibility within the network increases. This indirectly creates “blind or dark spots” within the network. Cyber crooks like to hide under these dark corners to perpetrate their malicious activities.

SIEM solutions help organizations gain insight and visibility into what is going on in their networks. The data collected from security event information from across the network are then normalized (reformatted) for consistency, easy correlation, and analysis. This helps to uncover malicious activities on the network, preventing bad actors from concealing their tracks.

Next-Generation SIEM

The landscape of cybersecurity is constantly changing, even as technology advances, and  SIEM needs to evolve with it. Many modern threats are now capable of changing their behavior to evade detection. For a SIEM to be effective, it must remain relevant in the face of a changing threat landscape and modern network infrastructure. However, a traditional SIEM solution often lags behind in the face of these modern demands and lacks the capability to produce actionable information. Other issues such as inflexible data sets, and a high number of false positives (high signal-to-noise ratio), among others, contribute to limiting the effectiveness of traditional SIEMs. As a result, security teams may struggle to justify ongoing investment costs such as system management, integration of additional data sources, personnel training, and of course annual license renewal.

A modern SIEM should be responsive to today’s fluid network architecture and changing threat landscape, capturing data and generating information that security teams can use as intelligence to detect and respond to potential threats before any damage is realized. Given the limitations of traditional SIEM systems, a demand arose for tools that could provide actionable information while optimizing current and future security investments, and this gave rise to the emergence of next-generation SIEMs. Next-generation SIEM augments traditional capabilities such as event logging, pattern recognition, and alerting with modern technologies such as Security Orchestration Automation and Response (SOAR), User and Entity Behavior Analytics (UEBA), cloud-based analytics, machine learning, and artificial intelligence (AI).

SOAR is a growing area of security that next-generation SIEM providers are leveraging to help automate incident analysis and response procedures. Orchestration which is at the core of SOAR technology still involves people. However, there are parts that require automation. The fundamental human-centered decision process has to be aided by technology and that’s what SOAR represents. With SOAR enabled SIEMs, organizations can collect data about security threats from multiple sources and respond to low-level security events without human assistance. Such response activities could include disabling compromised user accounts or blocking ports or IP addresses on a firewall. It also allows organizations to define incident analysis and response procedures in a digital workflow format; alerts from the SIEM systems can prioritize and drive standardized incident response activities.

The goal is to improve the efficiency of security operations and response activities. By automating routine actions, SOAR helps security teams to become more efficient and frees up their time for more demanding tasks. Next-generation SIEM can automate and prioritize actions that allow workflow and productivity improvements to organizational security. Positive impacts can be expected in any area in which actions can be orchestrated.

Another important feature of next-generation SIEMs is the use of UEBA technology. UEBA solutions use analytics to build the standard profiles and behaviors of users and entities, then activities that are anomalous to these standard baselines are presented as suspicious. This is achieved by analyzing historical data logs collected and stored in SIEM systems to identify patterns of traffic caused by user behaviors, both normal and malicious. UEBA enabled SIEM systems do not take action based on their findings, rather they are primarily intended to provide security teams with actionable insights. UEBA-supported SIEMs can be hugely valuable to organizations in identifying compromised accounts, as well as insider threats. It works by using advanced machine learning and behavioral profiling techniques to identify malicious actors and anomalous activities.

Next-generation SIEMs with SOAR and UEBA  capabilities are key to identifying hidden threats; they are increasingly being deployed in the cloud to enable organizations to manage and monitor modern hybrid infrastructure (cloud, on-premises, and BYOD systems) as a single entity.

Features and FunctionsTraditional SIEMNext Generation SIEM
Incidence response Case management SOAR
Threat detection Static correlation rulesUEBA
Storage architectureSchemaNon-schema
Data collectionProprietary data managementScalable security data leaks
Deployment modelMostly on-premiseCloud/hybrid/on-premises

Figure 2.0 Comparison of traditional vs next-generation SIEM

Choosing the right SIEM Solution for your Organization

With a variety of SIEM solutions such as those from IBM, Intel, HE, SolarWinds, Manage Engine, and even open-source options, choosing the right one for your business and budget can be challenging. Like most network security solutions, not all SIEM solutions are created equal. What fits perfectly from a price, feature, and functionality standpoint for one organization may not fit for another. You need to consider a variety of factors, some of which include:

  • Is the SIEM solution capable of meeting your organization’s security and compliance requirements?
  • Can the SIEM supplement existing logging capabilities?
  • How much native support does the SIEM provide for relevant log sources?
  • Does the SIEM product provide forensic, data analysis, and automated response capabilities?
  • Does the SIEM solution possess the capabilities of next-generation SIEM functionalities such as SOAR and UEBA?
  • Is vendor support available in your region, and to what extent?
  • What is the total cost of ownership?

With the right SIEM solution, your organization can capture actionable information and insight that security teams can use as intelligence to detect potentially malicious activity before any damage is materialized.