What is a SIEM?
Security Information and Event Management (SIEM) is a software solution that aggregates and analyses activity from many different resources across your entire IT infrastructure.
SIEM tools are an important part of the data security ecosystem: they aggregate data from multiple systems and analyse that data to catch abnormal behaviour or potential cyberattacks. SIEM tools provide a central place to collect events and alerts – but can be expensive, resource intensive, and customers report that it is often difficult to resolve problems with SIEM data.
SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.
How does a SIEM work?
SIEM software works by collecting log and event data that is generated by host systems, security devices and applications throughout an organization’s infrastructure and collating it on a centralized platform. From antivirus events to firewall logs, SIEM software identifies this data and sorts it into categories, such as malware activity, failed and successful logins and other potentially malicious activity.
When the software identifies activity that could signify a threat to the organization, alerts are generated to indicate a potential security issue. These alerts can be set as either low or high priority using a set of pre-defined rules. For example, if a user account generates 20 failed login attempts in 20 minutes, this could be flagged as suspicious activity, but set at a lower priority as it is most likely to be a user that has forgotten their login details. However, if an account experiences 120 failed login attempts in 5 minutes this is more likely to be a brute-force attack in progress and flagged as a high severity incident.
Benefits of SIEM:
- Increased efficiency
As SIEM systems can collate event logs from multiple devices across networks, staff members are able to use these to identify potential issues more easily. This can also provide an easier way of checking activity and can speed up analysis of files, allowing employees to carry out tasks with ease and spend more time on other aspects of their job. In this way, SIEM systems can also improve reporting processes across the business.
- Preventing potential data breaches
SIEM tools coupled with an abled security operations team can identify and contain malicious presence in the environment. This can help to mitigate multiples risks associated with data breaches and prevent exfiltration of data to external domains.
3. Increased threat intelligence
Combines internal data with threat intelligence feeds containing data on vulnerabilities, threat actors and attack patterns. It also allows security staff to run queries on SIEM data, filter and pivot the data, to proactively uncover threats or vulnerabilities.
- Compliance
Automates the gathering of compliance data, producing reports that adapt to security, governance and auditing processes for standards like HIPAA, PCI/DSS, HITECH, SOX and GDPR.
SIEM is a mature technology, and the next generation of SIEMs provide new capabilities:
User Event Behavioural Analysis (UEBA) advanced SIEMs go beyond rules and correlations, leveraging AI and deep learning techniques to look at patterns of human behaviour. This can help detect insider threats, targeted attacks, and fraud.
Security Orchestration and Automation (SOAR) – next-gen SIEMs integrate with enterprise systems and automate incident response. For example, the SIEM might detect an alert for ransomware and perform containment steps automatically on affected systems, before the attacker can encrypt the data
