Security information and event management (SIEM) systems provide centralized logging capabilities for an enterprise and can be used to analyze and/or report on the log entries it receives. Some SIEM systems, which can be either products or services, can also be configured to stop certain attacks they detect, generally by directing the reconfiguration of other enterprise security controls.
Traditionally, most organizations with SIEM services have used them either for security compliance efforts or for incident detection and handling efforts. But increasingly, organizations use SIEMs for both purposes. This increases the technology's potential value to the organization, but unfortunately, tends to complicate configuration and management.
Many SIEM services and products are available today to meet the needs of a wide variety of organizations. Taking every characteristic of every one of them into account is not feasible, so this article concentrates on the features of the most widely used SIEM services.
The architecture of SIEM services and products
SIEM services and products are made available through any one of several architectures, including the following: software installed on an on-premises server, on-premises hardware appliance, on-premises virtual appliance and public cloud-based service.
Each of these SIEM architectures has its own advantages and disadvantages, and no architecture is generally superior to the others.
Another important aspect of SIEM architecture is how log data is transferred from each log source to the SIEM. There are two basic approaches: agent-based and agentless. Agent-based means a software agent is installed on each host that generates logs, and this agent is responsible for extracting, processing and transmitting the data to the SIEM server. Agentless means the log data transfer happens without an agent; the log-generating host could directly transmit its logs to the SIEM, or there could be an intermediate logging server involved, such as a syslog server. Most products offer agent-based and agentless log transfers to accommodate the widest possible range of log sources.
Typical environments suitable for SIEM systems
Early SIEM services and products had a reputation for being for large organizations with advanced security capabilities. The main motivation behind these deployments was to duplicate network security logs in a centralized location so the security administrators and analysts could view all the logs through a single console, and potentially correlate events across log sources in support of incident detection and response efforts.
Since that time, SIEMs have evolved to become an important core security component for nearly every organization. As the number of sources of security log entries has grown, so has the need to view, analyze and report on the contents of those log entries from a single console. Even small and medium-sized organizations typically need a SIEM today for compliance purposes -- to automatically generate reports that provide evidence of the organization's adherence to various compliance requirements.
The costs of adopting, deploying and managing SIEM systems
SIEM adoption costs vary widely depending on two main factors: the robustness of the SIEM's capabilities and the selected deployment architecture. In terms of robustness, some SIEMs offer a "light" solution that provides basic log management and reporting capabilities without the advanced analysis techniques and other features that other SIEMs support. These "light" SIEMs are considerably less expensive to acquire than other SIEMs. The deployment architecture also has obvious cost implications for SIEM adoption. Most SIEMs require purchase of hardware and/or software, while cloud-based SIEM services are generally based on usage fees.
In addition to acquiring the SIEM product, an organization may have other upfront costs. For example, SIEMs increasingly support the use of threat intelligence feeds, which contain up-to-date information on threat indicators being observed by organizations around the world. Threat intelligence feeds can significantly improve the accuracy of a SIEM's incident detection capabilities, but using such a feed generally necessitates paying a substantial subscription fee.
SIEM deployment costs are generally similar to other major security tool deployments, with one notable exception: integration. A SIEM service is of no value unless it can readily receive and parse log data from a wide variety of security log sources. Enabling this can necessitate extensive customization of the SIEM and/or development of custom code to translate a source's log data into a format that the SIEM can understand and process.
Another area of SIEM costs is management. Most organizations seriously underestimate the management costs associated with successful SIEM deployment, particularly if the SIEM is to be used for incident detection and handling purposes. In this case, the SIEM will require frequent tuning and customization, not to mention constant monitoring so possible incidents can be validated and responded to quickly to limit damage.
SIEM products and services serve two purposes: providing centralized security logging and reporting for an organization, and aiding in the detection, analysis and mitigation of security incidents. SIEM products and services are available through several architectures. Today's SIEM offerings are invaluable to organizations of nearly every size, if for no other reason than they centralize and automate aspects of security compliance reporting.
Organizations considering the acquisition of a SIEM product should carefully consider its deployment and management costs. Because the SIEM ingests security log data from a wide variety of sources, there may be considerable integration costs in facilitating that transfer and translation of log data. SIEM management costs are usually underestimated, and like many technologies, an organization gets value out of a SIEM comparable to the effort that the organization puts into its configuration, monitoring and other management aspects.