Security.com

security information and event management (SIEM)

By Alexander S. Gillis

What is security information and event management (SIEM)?

Security information and event management (SIEM) is an approach to security management that combines security information management (SIM) and security event management (SEM) functions into one security management system. The acronym SIEM is pronounced "sim" with a silent e.

The underlying principles of every SIEM system are to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. For example, when a potential issue is detected, a SIEM system might log additional information, generate an alert and instruct other security controls to stop an activity's progress.

Payment Card Industry Data Security Standard compliance originally drove SIEM adoption in large enterprises, but concerns over advanced persistent threats have led smaller organizations to look at the benefits SIEM tools can offer as well. Being able to look at all security-related data from a single point of view makes it easier for organizations of all sizes to spot unusual patterns.

At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to make connections between event log entries. Advanced SIEM systems have evolved to include user and entity behavior analytics, as well as security orchestration, automation and response (SOAR).

SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers and network equipment, as well as specialized security equipment, such as firewalls, antivirus programs or intrusion prevention systems (IPSes). The collectors forward events to a centralized management console, where security analysts sift through the noise, connecting the dots and prioritizing security incidents.

In some systems, pre-processing can happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced. Although advancements in machine learning are helping systems flag anomalies more accurately, analysts must still provide feedback, continuously educating the system about the environment.

How does SIEM work?

SIEM tools gather event and log data created by host systems throughout a company's infrastructure and bring that data together on a centralized platform. Host systems include applications, security devices, antivirus filters and firewalls. SIEM tools identify and sort the data into categories such as successful and failed logins, malware activity and other likely malicious activity.

The SIEM software generates security alerts when it identifies potential security issues. Using a set of predefined rules, organizations can set these alerts as a low or high priority.

For instance, a user account that generates 25 failed login attempts in 25 minutes could be flagged as suspicious but still be set at a lower priority because the login attempts were probably made by a user who had forgotten their login information.

However, a user account that generates 130 failed login attempts in five minutes would be flagged as a high-priority event because it's most likely a brute-force attack in progress.

Why is SIEM important?

SIEM makes it easier for enterprises to manage security by filtering massive amounts of security data and prioritizing the security alerts the software generates.

SIEM software enables organizations to detect incidents that may otherwise go undetected. The software analyzes the log entries to identify signs of malicious activity. In addition, since the system gathers events from different sources across the network, it can re-create the timeline of an attack, enabling an organization to determine the nature of the attack and its effect on the business.

A SIEM system can also help an organization meet compliance requirements by automatically generating reports that include all the logged security events among these sources. Without SIEM software, the company would have to gather log data and compile the reports manually.

A SIEM system also enhances incident management by helping the company's security team to uncover the route an attack takes across the network, identify the sources that were compromised and provide the automated tools to prevent the attacks in progress.

Benefits of SIEM

Benefits of SIEM include the following:

Limitations of SIEM

Despite its benefits, SIEM also has the following limitations:

SIEM features and capabilities

Important features to consider when evaluating SIEM products include the following:

Users should also ask the following questions about SIEM product capabilities:

SIEM tools and software

There are a wide variety of SIEM tools on market, but the following is just a sample:

How to choose the right SIEM product

The key to selecting the right SIEM tool varies depending on a number of factors, including an organization's budget and security posture. However, companies should look for SIEM tools that offer the following capabilities:

Best practices to implementing SIEM

Follow these best practices while implementing SIEM:

History of SIEM

SIEM technology, which has existed since the mid-2000s, initially evolved from log management, which is the collective processes and policies used to administer the generation, transmission, analysis, storage, archiving and disposal of large volumes of log data created within an information system.

Gartner Inc. analysts coined the term SIEM in the 2005 Gartner report, "Improve IT Security with Vulnerability Management." In the report, the analysts proposed a new security information system based on SIM and SEM.

Built on legacy log collection management systems, SIM introduced long-term storage analysis and reporting on log data. SIM also integrated logs with threat intelligence. SEM addressed identifying, collecting, monitoring and reporting security-related events in software, systems or IT infrastructure.

Vendors created SIEM by combining SEM, which analyzes log and event data in real time, providing threat monitoring, event correlation and incident response, with SIM, which collects, analyzes and reports on log data.

SIEM is now a more comprehensive and advanced tool. New tools were introduced for reducing risk in an organization, such as the use of machine learning and AI to help systems flag anomalies accurately. Eventually, SIEM products with these advanced features started being called next-generation SIEM.

The future of SIEM

Future SIEM trends include the following:

According to a recent Forbes article, the future of SIEM may involve the following five possible outcomes:

  1. Usage-based pricing models for SIEM will become common.
  2. Analysis tools will be built on universal SIEM data platforms.
  3. Organizations will partner to provide more integrations.
  4. The cost of SIEM will drop, making SIEM more affordable for smaller security teams.
  5. Startups will address more of the multifaceted challenges of managing security.

Learn more about SIEM products, including product architectures and the cost of adopting, deploying and managing SIEM systems.

09 Dec 2022

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement