This content is part of the Essential Guide: How to conduct a next-generation firewall evaluation

security information and event management (SIEM)

Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. The acronym SIEM is pronounced "sim" with a silent e.

The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. For example, when a potential issue is detected, a SIEM might log additional information, generate an alert and instruct other security controls to stop an activity’s progress.

At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEMs have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR).

Payment Card Industry Data Security Standard (PCI DSS) compliance originally drove SIEM adoption in large enterprises, but concerns over advanced persistent threats (APTs) have led smaller organizations to look at the benefits a SIEM managed security service provider (MSSP) can offer. Being able to look at all security-related data from a single point of view makes it easier for organizations of all sizes to spot patterns that are out of the ordinary.

Today, most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewallsantivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.

In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced. Although advancements in machine learning are helping systems to flag anomalies more accurately, analysts must still provide feedback, continuously educating the system about the environment.

Here are some of the most important features to review when evaluating SIEM products:

• Integration with other controls - Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?

Artificial intelligence - Can the system improve its own accuracy by through machine and deep learning?

• Threat intelligence feeds – Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?

• Robust compliance reporting - Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?

Forensics capabilities – Can the system capture additional information about security events by recording the headers and contents of packets of interest? 

This was last updated in January 2018

Next Steps

Karen Scarfone explains the basics of SIEM products in the enterprise.

What are the enterprise benefits of SIEM systems?

Learn how to evaluate SIEM products to determine which are the best for your organization.

Find out why network intrusion prevention systems compliment SIEM systems in this Buyer's Guide series that covers the basics of network IPS systems, lays out the enterprise benefits of network IPSes, and explains how intrusion prevention systems use data from SIEM systems.

How to find the best SIEM system for your company

Continue Reading About security information and event management (SIEM)

Dig Deeper on Enterprise network security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Can go for EventLog Analyzer
What are the advantages of outsourcing SIEM to a third-party cloud provider?
You said, "The acronym is pronounced "sim" with a silent e." However as you also stated, there exists a Security Information Management (SIM) and Security Event Management (SEM), so the SIEM has been pronounced like "SEEM" to distinguish it between the others ("sim" and "sem").
I don't think sharing log events with third-party is good practice 


File Extensions and File Formats

Powered by: