What is SIEM?
Security information and event management refer to Security Information Management (SIM) and Security Event Management (SEM) through a single pane of glass. SIEM solutions are used by security analysts to monitor any potential threats within the infrastructure of their organisation.
All the endpoints and network devices send their logs to the security information and event management solution. SIEM solution processes the raw log data and converts it into meaningful information that can be used by analysed by security professionals.
Security Information Management (SIM)
SIM solution is an enhanced version of a log collection and management platform. SIM introduced features like log retention, analysis, reporting and correlation with threat intelligence sources.
Security Event Management (SEM)
SEM is the next level in the generation of Security Monitoring and management that took security monitoring further ahead. It allowed the security analysts to perform advanced operations like event aggregation, correlation, notification triggering for endpoint and network devices like Firewalls, Linux and Windows servers, endpoints, antivirus solutions etc.
Multiple Open-Source and Commercial SIEM solutions exist in the market. However, all of them have the same underlying functionality. This functionality includes ingesting logs from nodes within the infrastructure, converting logs into meaningful security events, identifying suspicious events and generating necessary security alerts.
The simplest application of a Security information and event management solution can be a detection rules-based event correlation engine that creates alerts based on the relationship between multiple log entries. SIEM solutions also convert log entries into actual event information that allows security analysts to detect threats in real-time, perform incident response and prepare audits for compliance reasons.
How does a SIEM solution work?
Security information and event management solutions operate by collecting logs from data sources within an organisation on a centralised platform. These data sources include Firewall, Antivirus, databases, servers and custom applications.
SIEM solution sorts the security data so that security teams can perform security analysis and identify any malicious activity such as brute force login attempts or different malware activities. Analysts can use pre-defined rules or create their own rules on this information and generate alerts with appropriate priority.
Example scenario – Firewall traffic
An organisation has integrated their firewall with a security information and event management solution. The traffic logs show traffic origination from source IP addresses from different countries. If the organisation wants to flag traffic from a certain country, the security analysts can use an IP address for geolocation mapping and create alerts for traffic from that country.
Since there is no proof that the IP address is malicious, the event will be of low priority and the IP address will be further investigated by security analysts.
Example scenario – Brute force login attempts.
An attacker is attempting to login via brute forcing on an SSH service of a Linux server. The Linux system logs that are being polled on a SIEM solution generate multiple failed login attempt log entries. Security analysts had created alerts for such scenarios that trigger when more than 100 login attempts have been made within a minute.
Since the amount of login attempts within a minute is inhuman, the alert priority will be high and security analysts will investigate the incident immediately.
Why is it important to implement a SIEM solution?
SIEM solution is of paramount importance because it makes security analysis of massive amounts of logs collected by network and security devices a lot easier. SIEM not only filters out unnecessary log data and noise but also allows security analysts to prioritise certain events by creating alerting notifications.
Without a security information and event management solution, most suspicious activity within the infrastructure of an organisation may go unnoticed by security analysts. SIEM solutions also help organisations in meeting the compliance requirements as SIEM solutions generate reports with all security events and logs. Without a SIEM solution, this process would have been done manually.
Rapid incident response is a must-have requirement for any security sensitive organisation. Security analysts need relevant data to respond to a security incident. SIEM not only provides that information but also provides SIEM tools to automate the response to those incidents.
Capabilities a Security Information and Event Management solution should have
The industry standards identify security information and event management solution to have three critical features given below:
- Threat Detection
- Threat Investigation
- Incident Response
Other important features offered by commercial SIEM solutions out there are:
- Security Monitoring
- Forensics of occurred incidents and response.
- Log Ingestion
- Log Parsing and normalisation
- Security Incident Detection Engineering
- Incident Response Workflow
Advantage of SIEM
Security information and event management solutions have a lot of benefits for any security-conscious organisation that has hired skilled security professionals for threat detection and incident response. A few of these benefits are given below:
- Allows Security teams to rapidly identify network threats and reduce the impact of a cyber-attack.
- Provides security analysts with a centralised view of the security activity of the whole organisation’s infrastructure. All the endpoints and network nodes sent log data to the SIEM solution for storage and processing.
- Provides advanced malware detection and triggers security alerts.
- Allows organisations to easily collect data from compliance requirements.
Limitations of SIEM
Just like any other platform, SIEM also has its limitations:
- Implementing all SIEM solution controls within an organisation is a time-consuming and comprehensive task and may take around 3-to-6 months.
- Commercial SIEM solutions are really expensive. Small and medium business organisations may not be able to afford these solutions as their initial investments can go as high as a hundred thousand dollars.
- Understanding and analyzing the information generated by SIEM solutions is a task that requires expertise. Organisations that deploy SIEM solutions must also establish a Security Operation Center (SOC) where all the information generated by the SIEM solution is processed.
- SIEM solutions generate more than 10,000 events per day at a minimum. If the information is not correctly interpreted due to a Misconfigured SIEM solution, the benefit of the SIEM solution may turn into a limitation due to unnecessary noise.
How can a SIEM solution help organisations
SIEM tools help in collecting data from different log sources such as network devices, Windows and Linux systems, firewalls, anti-viruses etc.
Threat intelligence feeds
SIEM combines event data aggregated from log sources with feeds and provides real-time zero-day threat detection.
SIEM correlates multiple events from one or more log sources to identify a real-world threat and contain it before it compromises the entire organisational network
SIEM systems use statistical and machine learning-based techniques to identify patterns between event information and anomalistic behaviour trends and correlate them to security threats.
SIEM solution releases alerting notifications to IT and Security analysts about the incidents that occur within the enterprise network. These alerts are triggered on certain conditions defined by security engineers and can be delivered via email, slack channels etc.
Dashboards and visualisations
The dashboard is one of the SIEM tools that allow security engineers to create visualisation and graphical presentations of event data for security operations centre monitoring.
SIEM tools are great for assisting in the gathering of compliance data and produces reports that suit the formats of compliance regulatory authorities like HIPAA, GDPR, PCI DSS etc.
Compliance authorities require organisations to retain event logs of all devices in the network for a certain period.
SIEM solutions provide collaboration and knowledge sharing of security incidents so that security teams can synchronise and effectively respond to incidents.
What are SIEMs Used For
SIEM solutions provide an array of different capabilities and functionality, but they are used mainly for the following:
- Security Monitoring – SIEM solutions help in the real-time monitoring for security incidents.
- Advanced Threat Detection – SIEM solutions can help in identifying advanced threats including malicious insiders, data exfiltration, APTs etc.
- Forensics and Incident Response – SIEM solutions can help IT personnel perform forensic investigations and triaging events.
- Compliance Reporting and Auditing – SIEM solutions can help organisations in becoming compliant with legal and regulatory compliance bodies.
SIEM Best Practices
When implementing a SIEM solution, an organisation should consider the following best practices:
- Before implementation, determine the requirements for monitoring, reporting and auditing the IT events.
- The scope of the SIEM should be defined.
- Accessibility and retention for audit data should be defined.
- Reporting in the SIEM solutions should include:
- Access monitoring for all key resources.
- Status of all perimeter defences, attacks and changes.
- Status of backups, change management etc that ensure resource integrity.
- Incidents reported by IDS/IPS systems.
- Activity related to malware.
- Status, changes, violations etc in applications.
- Violations of acceptable use policies.
Security information and event management tools
In today’s modern era, there are many enterprises and open-source SIEM solutions that exist in the market. A few of them are given below:
Alienvault USM is a SIEM solution intended for small and medium business organisations. It has all the fundamental features of a SIEM solution and can be deployed as a hardware, virtual or cloud-based appliance. It has built-in 150 reporting templates and provides feeds from the OSSIM community.
ArcSight ESM collects and processes logs from data sources and is more suited for large organisations. ArcSight ESM integrates with third-party threat intelligence sources to provide up to date feeds.
IBM QRadar also ingests logs from a wide range of data sources such as network devices, operating systems and applications. It also analyses logs in real-time and allows security analysts to rapidly identify security threats. QRadar supports threat intelligence and also pulls logs from data sources deployed in Cloud.
Splunk Enterprise Security provides rapid incident response time, real-time threat detection by utilising visual security analysis. It also tracks dynamic malware attacks by correlating multiple security events from multiple data sources. It can be deployed as a local SIEM software or as a cloud-based SIEM solution.
LogRhyThm is also a good SIEM solution for small business organisations. It also features endpoint monitoring, digital forensics and security analytics for security teams. If a data source is disconnected from Logrhythm, it also has a heartbeat feature to identify connected and disconnected data sources.
Enterprise Market SIEM solutions
Customers have reported that to achieve data security and compliance records, they need to implement two SIEM solutions within their infrastructure. This is because SIEM solutions are very resource-intensive and noisy and if only one SIEM solution was used the best of both worlds would not be possible to achieve.
SIEM solutions are used by organisations for incident response, creating email notifications for alerts on events related to databases, network devices and servers.
Some security analysts also use SIEM for performing purple teaming exercises where they act as an adversary and perform attacks to see if the SIEM is flagging the attacks correctly or not. This activity is an important step for securing the organisation as it allows the security analysts to fine-tune the alerts to perfection.
Choosing the right SIEM solution
Choosing a SIEM solution depends on multiple factors. Organisations can go towards both commercial and open source SIEM solutions as per their requirements. Some of these factors are given below:
- SIEM solutions must support log integration and parse from a wide variety of data sources. If the SIEM solution cannot convert the log of an organisation’s data sources into meaningful events, the purpose of the SIEM solution will not be achieved.
- The SIEM solution should feature comprehensive reports for security analysts, executives and compliance mandates.
- SIEM solution should allow for real-time threat monitoring so that security analysts can perform threat detection in real-time.
- SIEM solutions should feature threat-intelligence feeds integration and event correlation with other data sources so that up-to-date Indicator of compromises (IOCs) can be identified within the infrastructure.
Putting the SOAR, XDR and other upcoming noise aside, SIEM are still very useful solutions doing their job helping security teams to sift through daily noise.
Whether you have outsourced SIEM/SOC services or in-house, it’s important to ensure logging and monitoring activities are capturing the right events. Therefore, selecting the same vendor who is your MSSP providing these services for SOC/SIEM as well as pen testing may be a direct conflict of interest. This is something we have come across often due to customers unaware of the fact it’s sometimes similar to checking your own homework. Not all vendors are intentionally doing this, however, it does puts the customer controls to test only when done impartially.
Get your SIEM solutions to test to check whether they are delivering what they are intended to do so. Get in touch to discuss your requirements.
We do not enforce any SIEM solutions, nor we are part of any reselling opportunities. This article is purely served for our audience to know what SIEM is, it’s basics and the choices. We do not purposely intend to exclude or include any specific vendors and are more than happy to look into you request if any to include, provided your solution must be in the mainstream market.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.