The top SIEM products: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
Security information and event management (SIEM) systems are designed to collect security log events from numerous hosts within an enterprise and store their relevant data centrally. By bringing all of this log data together, these SIEM products enable centralized analysis and reporting for an organization's security events. The analysis may result in the detection of attacks that were not found through other means, and some SIEM products have the capabilities to attempt to stop attacks they detect -- assuming they are still in progress.
SIEM products have been available for many years, but initial SIEM products were targeted at large organizations with sophisticated security capabilities and ample security analyst staffing. It is only relatively recently that SIEM systems have emerged that are well-suited to meeting the needs of small and medium-sized organizations. SIEM architectures available today include SIEM software installed on a local server, a local hardware or virtual appliance dedicated to SIEM, and a public cloud-based SIEM service.
Different organizations use SIEM systems for different purposes, so SIEM benefits vary across organizations. This article looks at the three top SIEM benefits, which are:
- Streamline compliance reporting;
- Detect incidents that would otherwise not be detected; and
- Improve the efficiency of incident handling activities.
Streamline compliance reporting
Many organizations deploy SIEMs for this benefit alone: streamlining their compliance reporting efforts through a centralized logging solution. Each host that needs to have its logged security events included in the reporting regularly transfers its log data to a SIEM server. A single SIEM server receives log data from many hosts and can generate one report that addresses all of the relevant logged security events among these hosts.
An organization without SIEM is unlikely to have a robust centralized logging capability that can do rich customized reports, such as those needed for most compliance reporting efforts. In such an environment, it may be necessary to generate individual reports for each host, or manually retrieve data periodically from each host and reassemble it in a centralized point to generate a single report. The latter can be incredibly difficult, in no small part because different operating systems, applications and other pieces of software are likely to log their security events in various proprietary ways. Converting all of this information to a single format may require extensive code development and/or customization.
Another reason why SIEMs are so useful for streamlining compliance reporting is they often have built-in support for the most common compliance efforts. Their reporting capabilities are compliant with the reporting requirements mandated by compliance efforts such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the Sarbanes-Oxley Act (SOX). By leveraging a SIEM, an organization can save considerable time and resources in meeting its security compliance reporting requirements, especially if it is subject to more than one such compliance initiative.
Detect incidents that would otherwise not be detected
There are two primary reasons why SIEMs are able to detect incidents that otherwise would not be detected. The first, and simplest, is that many hosts that log security events do not have built-in incident detection capabilities. Although these hosts can observe events and generate audit log entries for them, they lack the ability to analyze the log entries to identify signs of malicious activity. At best, these hosts, such as end-user laptops and desktops, might be able to alert someone when a particular type of event occurs.
The second reason for SIEMs' increased detection capabilities is that they can correlate events across hosts. By gathering events from hosts across the enterprise, a SIEM can see attacks that have different parts seen by different hosts, and then reconstruct the series of events to determine what the nature of the attack was and whether or not it succeeded. In other words, while a network intrusion prevention system might see part of an attack and a laptop's operating system might see another part of the attack, a SIEM can examine the log data for all of these events and determine that the laptop was infected with malware, which then caused it to join a botnet and start issuing attacks against other hosts.
It is important to understand that SIEMs do not take the place of enterprise security controls for attack detection, such as intrusion prevention systems, firewalls and antivirus technologies. A SIEM on its own is useless because it has no ability to monitor the raw security events as they happen throughout the enterprise. SIEMs are designed to use log data as recorded by other pieces of software.
Many SIEM products also have the ability to attempt to stop the attacks they detect while the attacks are still in progress. The SIEM itself doesn't directly stop an attack; rather, it communicates with other enterprise security controls, such as firewalls, and directs them to alter their configurations so as to block the malicious activity. This enables the SIEM to prevent attacks from succeeding that might not have even been noticed elsewhere in the enterprise.
To take this a step further, an organization can choose to have its SIEM ingest threat intelligence feeds from trusted external sources. If the SIEM detects any activity involving known malicious hosts, it can then act to terminate those connections or otherwise disrupt malicious hosts' interactions with the organization's hosts in order to proactively prevent an attack from occurring in the first place. This surpasses detection and enters the realm of prevention.
Improve the efficiency of incident handling activities
Another one of the benefits of SIEM products is they significantly increase the efficiency of incident handling, which in turn saves time and resources for incident handlers. More efficient incident handling ultimately speeds incident containment, thus reducing the amount of damage that many incidents cause. A SIEM improves efficiency primarily by providing a single interface for viewing all the security log data from many hosts.
Examples of how this can expedite incident handling:
- Allows an incident handler to quickly identify an attack's route through the enterprise;
- Enables rapid identification of all hosts that were affected by a particular attack; and
- Provides automated mechanisms to attempt to stop attacks that are still in progress and to contain compromised hosts.
The benefits of SIEM products make them a necessity
The benefits of SIEM products enable an organization to get the "big picture" view of its security events throughout the enterprise. By bringing together security log data from enterprise security controls, host operating systems, applications and other software components, a SIEM can analyze large volumes of security log data to identify the attacks and compromises hidden within it. A SIEM is often able to identify malicious activity that no other single host could identify because the SIEM is the only security control with true enterprise-wide visibility.
SIEMs, meanwhile, are used for a few different purposes. One of the most common is to streamline reporting for security compliance initiatives -- such as HIPAA, PCI DSS and SOX -- by centralizing the log data and providing built-in support for meeting the reporting requirements of each initiative. Another common purpose is to detect incidents that would otherwise not be detected, and when possible, automatically stop attacks that are in progress to limit their damage. Finally, SIEMs can also be invaluable in improving the efficiency of incident handling activities, both reducing resource utilization and allowing faster incident responses, which also helps to limit damage.
Today's SIEMs are available in a variety of architectures, including as public cloud-based services, which makes them suitable for use in organizations of all sizes. Considering their support for automating compliance reporting, incident detection, and incident handling activities, SIEMs have become a necessity for virtually every organization.
Learn more about the basics of SIEM products and services in the enterprise