Security Information and Event Management (SIEM) tools collect and aggregate log and event data to help identify and track breaches. They are powerful systems that give enterprise security professionals both insight into what is happening in their IT environment right now and a history of relevant events that have happened in the past.
SIEM software (pronounced “sim”; the “e” is silent) collects and aggregates log and event data generated across an organization’s technology infrastructure, from host systems and applications to network and security such as firewalls and anti-virus filters. The goal of a SIEM tool is to correlate signals from all of this data to provide security teams with the information they need to identify and track breaches and other issues.
The term “SIEM” was actually coined by Gartner analysts in 2005, and they continue to rate different vendors using their Magic Quadrant methodology. You can see the 2021 slice of the Magic Quadrant for SIEM here. Companies in the “Leaders” quadrant include Splunk, IBM, Exabeam, Securonix and LogRythm.
SIM versus SIEM
Before diving into the details of how SIEM software works, we need to understand two related acronyms: SIM and SEM.
SIM, Which means security information management, is a tool that provides analytics and reports for historical security events – with history here meaning not that these events are part of an epic and significant historical event, but simply that they happened in the past. SIM systems grew out of the discipline of log management and work to automate the collection of log data from various security tools and systems and present that information to security managers.
SEM, Which means management of security events, is similar to SIM, although instead of focusing on historical log data, it attempts to work in real time, or as close as possible, to identify specific events relevant to security professionals. For example, if a user somewhere on your network manages to elevate their privileges to administrator status in a way that is out of the ordinary, an SEM system should let you know.
a SIEM system is simply a tool that combines the functionality of SIM and SEM software. It’s pretty rare at this point to find software that only offers SIM or SEM functionality, and SIEM has been on the agenda for a decade or more.
At first glance, it may seem odd that SEM ended up being combined with SIM rather than replacing it. The appeal of receiving real-time security event alerts is obvious, and if you can do that, what’s the point of extracting information from a dusty old log? In fact, a big part of a security professional’s job is to work backwards from real-time alerts to try to figure out what’s going on on your network. Once you get this warning about the user who managed to make themselves admin, you’ll need to look at that user’s login and behavior history to try and get to the bottom of what’s going on, and you need SIM tools that can quickly find this information for you in your logs.
The SIEM software therefore has two main objectives:
- provide reports on security-related incidents and events, such as successful and failed logins, malware activity, and other possible malicious activity; and
- send alerts if analysis shows that an activity is running against pre-determined rule sets and thus indicates a potential security issue.
How does SIEM work?
Logs and other data should be exported from all your security systems to the SIEM platform. This can be achieved by SIEM agents—programs running on your various systems that parse and export data into SIEM; alternatively, most security systems have built-in capabilities to export log data to a central server, and your SIEM platform can import it from there.
The option you choose will depend on your network topography and bandwidth capabilities, as well as the types of systems you need to get the logs from. The amount of data transmitted and the processing power required at endpoints can degrade the performance of your systems or network if you don’t implement things carefully; SIEM agents at the edge can alleviate some of this load by automatically analyzing certain data before it is even sent over the network. Either way, you’ll want to make sure your entire infrastructure is instrumented for SIEM, both on-premises and in the cloud.
Obviously, the amount of data generated by this SIEM instrumentation is enormous, more than your staff could analyze. The main value offered by SIEM suites is that they apply data analysis to ensure that only useful information is transmitted to your security operations center. These platforms use correlation engines attempting to connect disparate log entries or other signals that don’t seem worrisome on their own but, taken together, can cause problems. These engines, combined with the specific artificial intelligence and machine learning techniques used to detect attacks, are what various SIEM vendors use to differentiate their offerings from one another.
SIEM tools also draw information from threat intelligence feed—essentially, updated data feeds on new forms of malware and the latest advanced persistent threats. Some of these feeds are managed by SIEM vendors, but others are open source or managed in-house by the security teams of large organizations, and some SIEM platforms allow you to use your favorites. Other customization options include the ability to tightly integrate your SIEM platform with specific security tools.
We noted above that SIEM was originally adopted for its ability to facilitate regulatory compliance; this is still an important role for these tools, and many platforms have built-in capabilities that aim to ensure and document your compliance with various laws and standards. And finally, some SIEM platforms also incorporate SOAR capabilities, which can partially or fully automate responses to the threats they detect.
Main SIEM tools and providers
How to evaluate SIEM tools? CSOsby Tim Ferrill has an excellent buyer’s guide to key features and considerations that should inform your choice of a system, including whether it’s a cloud or on-premises system, analytics capabilities, log ingestion, automated remediation, and role-based access, among others.
Ferrill’s list also looks at some of the top SIEM vendors, which is a good guide through the landscape of this market segment:
All of these different providers have their own strengths and weaknesses. For example, Microsoft’s Azure Sentinel offering is only available on Microsoft’s cloud, but easily integrates with Microsoft 365 and Windows Defender. RSA’s platform is designed with massive data volume in mind, while Securonix has an open architecture that allows a wide variety of third-party analytics plugins to be added.
We should take a moment to highlight Splunk, since it was one of the first software vendors to strike gold in log file analysis. Splunk Enterprise Security leverages the enterprise’s proven data analytics and visualization capabilities to deliver a threat intelligence-integrated SIEM solution available in the cloud or on-premises. IDC argues that Splunk has the largest SIEM market share.
At this point, you should have a good idea of what SIEM should do for your business. But these rigs don’t come cheap, and that means you should do everything you can to prepare before deploying one. For example, SIEM software requires high quality data for maximum performance. And SIEM technologies are resource-intensive and require experienced personnel to implement, maintain, and refine them – personnel in which not all organizations have yet fully invested.
Copyright © 2022 IDG Communications, Inc.