Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. The acronym SIEM is pronounced "sim" with a silent e.
The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. For example, when a potential issue is detected, a SIEM might log additional information, generate an alert and instruct other security controls to stop an activity’s progress.
At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEMs have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR).
Payment Card Industry Data Security Standard (PCI DSS) compliance originally drove SIEM adoption in large enterprises, but concerns over advanced persistent threats (APTs) have led smaller organizations to look at the benefits a SIEM managed security service provider (MSSP) can offer. Being able to look at all security-related data from a single point of view makes it easier for organizations of all sizes to spot patterns that are out of the ordinary.
Today, most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.
In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced. Although advancements in machine learning are helping systems to flag anomalies more accurately, analysts must still provide feedback, continuously educating the system about the environment.
Here are some of the most important features to review when evaluating SIEM products:
• Integration with other controls - Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?
• Threat intelligence feeds – Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?
• Robust compliance reporting - Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?
• Forensics capabilities – Can the system capture additional information about security events by recording the headers and contents of packets of interest?
Karen Scarfone explains the basics of SIEM products in the enterprise.
What are the enterprise benefits of SIEM systems?
Find out why network intrusion prevention systems compliment SIEM systems in this Buyer's Guide series that covers the basics of network IPS systems, lays out the enterprise benefits of network IPSes, and explains how intrusion prevention systems use data from SIEM systems.
How to find the best SIEM system for your company