What is Security Information and Event Management (SIEM)?

Learning Objectives

  • Explore the components of a good SIEM
  • Learn who can benefit from a SIEM
  • Understand why logs are important for SIEM functionality

A Security Information and Event Management (SIEM) is an umbrella term for an application that aggregates and displays network traffic information and log events for further analysis and review. It’s a centralized application that allows administrators, security analysts, and network operation center (NOC) staff to view activity on a corporate network using dashboards, charts, and analytics. 

SIEM software has evolved through the years to now allow real-time views of network traffic and has become a common tool in enterprise networks where private and public cloud activity must be monitored 24/7 to protect from threats that target sensitive data.

What services are included in a SIEM application?

Because a SIEM gives analysts an overview of network traffic, it can be used in various fields. It’s mainly used in the cybersecurity industry, where dedicated analysts work in a NOC to review real-time traffic. It can also be used for other industries such as data science, forensics, or log management. 

A SIEM can be used for:

  • Data security
  • Mobile security
  • Cloud security
  • IoT security
  • Endpoint monitoring and security
  • Infrastructure security
  • Application security
  • Messaging security
  • Web security
  • Risk and compliance
  • Threat intelligence
  • Specialized threat analysis and prediction
  • Security operations
  • Identity and access management

Whatever the reason behind installing a SIEM platform, there are several components that you should consider when searching for the right SIEM tool. The following are common components in a good SIEM platform:

Log Management: The basis behind monitoring and analyzing your network traffic is the logs that are aggregated and sent to the SIEM.  A log management system allows you to send logs from various infrastructure locations to the SIEM log management component. Network resources, servers, applications, endpoints, devices, anti-malware software, and various other resources with threat risks should maintain a log system where events are sent to the central SIEM. Aggregated logs are also used in forensics and investigations after a security incident, and they can be used to send notifications to administrators when traffic anomalies are found. 

Security Event Management: As logged events are collected by a centralized aggregation point, a Security Event Management (SEM) system uses its own algorithms to determine suspicious traffic from normal user traffic. A SEM mainly focuses on real-time analysis of network resources specific to security such as firewalls and intrusion detection systems, rather than standard log management systems used in forensics and investigations of past incidents from all resources. SEC systems can also be used in monitoring and can send notifications when suspicious events are found.

Security Information Management: A component in monitoring and analysis used in SIEM software is the Security Information Management (SIM) system, which focuses on data collection from various endpoints and host endpoints. These resources could be targets for attackers, but their purpose is not to secure the network but to rather support company productivity. They can often be a primary focus for attackers due to the files and sensitive information they store. SEM focuses on security resources, but SIM systems focus on assets such as servers, applications, user devices, endpoints, proxies, and other basic network environment resources. 

Security Event Correlation: To identify an ongoing incident, a SIEM uses a Security Event Correlation (SEC) system. This SEC system identifies common patterns within aggregated logged events to determine if the organization suffered from a compromise. Suspicious events can be flagged for further review from a human analyst. It’s important that this component does not suffer from too many false positives as it causes analyst fatigue, which is a phenomenon common in security analysis when a human reviewer does not trust the SIEM notifications and ignores potential breaches. Human analysts suffering from fatigue often become desensitized to alerts and could possibly miss important notifications for an ongoing security incident, so any alert system should aim to have few false positives.

What does a SIEM do?

With several security components merged into one platform, a SIEM is a tool for human reviewers. Several systems exist for automatically detecting and blocking potential attackers. For instance, an intrusion prevention system (IPS) will detect and automatically block suspicious traffic and potential attackers. The issue with these systems is that they rely on known patterns and traffic benchmarks to detect attackers, but false positives or false negatives are possible. If an attacker uses a zero-day exploit or falls outside of known patterns, the IPS could trigger a false negative. False positives are also a concern, so automatic systems need human analysts to review incidents.

A SIEM incorporates all of the above technology and centralizes security information management and analysis for human review. An analyst responsible for monitoring the network for any ongoing security incidents will spend most of their time looking at SIEM data, charts, notifications, and traffic information. The benefit of a SIEM is that the human analyst does not need to read raw data from logs. The analyst can instead see graphical representations of network traffic and assets across the environment so that they can make an informed decision on potential attacks. The other benefit is that human analysts can review real-time data rather than seeing old log events in the aftermath of an incident.

Raw data logs can accumulate thousands of events every day, depending on the size of the organization and the number of network assets. Raw log data is difficult for the human eye to analyze, especially if the analyst is searching for a specific event among thousands of other events. A SIEM turns raw data logs into graphical representations using charts and other user interface elements.



Who should use a SIEM?

A SIEM platform can be used in any business that has internal and external traffic critical to corporate productivity. If you host sensitive data internally a SIEM helps protect data from breaches. Since analysts can view traffic data in real-time, an attacker with access to internal network assets could be detected before a serious breach occurs. A SIEM is primarily useful for the following business departments:

  • Security Team: Whether you have an internal security team or outsource to a managed service provider (MSP), security professionals use SIEMs to monitor cloud and on-premise network resources. Security professionals leverage SIEM platforms to detect threats to contain and eradicate them from the environment quickly. 
  • Operations Team: Administrators, DevOps, and other operations teams use SIEMs to analyze system issues and perform root-cause analysis into an ongoing issue. The logs and data aggregation can speed up identification of network issues and deploy remediation efforts.
  • Incident Response Team: After a security incident, an organization must contain the threat, investigate the root-cause, eradicate it from the environment, and collect evidence for law enforcement investigations. The logs and information shown in SIEM dashboards can help this team perform more efficient incident response to better secure the network.
  • Compliance Team: Monitoring is a requirement for many compliance regulations including GDPR, HIPAA, PCI, and several others. A SIEM will cover any technical compliance requirements where access to sensitive information must be monitored so that organizations can avoid hefty fines for violations.

Administrators and security teams interested in installing a SIEM have the choice to host the software platform in the cloud. Several of today’s technology solutions can run in the cloud as more organizations realize the benefits of cloud hosting. Using cloud resources lowers IT costs, and administrators can run the application from any location, including if they work from home. If you’re looking for a SIEM and use cloud resources for infrastructure, cloud-based SIEM platforms are available instead of deploying a more costly solution of hosting it on-premise.

Is log data necessary for a SIEM?

As you search for a SIEM, identify the most valuable components to the organization and research if the SIEM offers a solution. For instance, if you have several infrastructure resources and need efficient logging, ensure that the SIEM you choose has the right log management and aggregation capabilities that you need to monitor these network resources fully.

Log data is the foundation of SIEM real-time monitoring, and it’s the source behind network traffic analysis. Without logs, a SIEM would not collect the data necessary to identify potential security incidents. Human analysts would not be able to address events quickly because without logs and a SIEM they are left with only log events that could be days old. An attacker has the advantage when monitoring tools and human analysts only have access to day-old logs, which makes a SIEM a critical asset. 

It’s time to let data charge