Every organization is drowning in security event information. Each business computing device may have numerous logs generated by the operating system and individual applications and security tools. Multiply that by the number of devices the organization has, and the total number of security log entries generated each day may be in the millions, billions or more. There is no way to monitor, analyze and report on all the log entries without relying on automated products.
The technology specifically designed to address enterprise security logging needs is known as security information and event management (SIEM). This buyer's handbook aims to help you find the best SIEM features to keep your organization secure.
What SIEM is
A SIEM system is a centralized enterprise security log management and analysis product. It centrally automates all the work of collecting logged information and generates reports, helping find potential security incidents recorded in the logs so that an organization can respond to potential threats. In addition to saving a great deal of manual labor, the best SIEM system can also -- because of its ability to continuously analyze enormous data sets -- detect incidents that would have otherwise gone undetected.
SIEM systems aren't intended to take the place of other enterprise security controls. Rather, as noted above, by providing a single place to bring together security logs from disparate sources -- and correlating events across logs -- SIEM systems complement other controls. Originally intended for larger organizations, the products and SIEM features now available can benefit organizations of any size, as well as those obligated to comply with security laws, regulations and compliance initiatives.
How SIEM systems work
The core of a SIEM system is one or more servers, which may be a combination of cloud-based services and locally deployed hardware-based and virtual servers. A small SIEM system might have one server that performs all functions, while a large system might have numerous instances of several types of servers -- e.g., database, data archival and analysis.
Log data from original logging sources can reach the SIEM servers through two primary methods. One is deploying SIEM client software called an agent to each device that generates logs. The other is using agentless services to transfer data from sources to the SIEM system. Most organizations need to use a combination of agents and agentless services because of the variety of logs and log sources they have.
The SIEM agents and servers are responsible for converting each log's data from its proprietary format to a single universal format the SIEM product uses and understands. This is one of the best SIEM features to have because it enables all the log analysis and reporting capabilities. With all data unified, the SIEM system can analyze it to identify attacks and anomalies that merit further investigation or action. Examples of what the SIEM system can do when a potential issue is detected include logging additional information, generating an alert for a person to react to and instructing other enterprise security controls to change their policies or stop a particular activity in progress.
Best SIEM features to look for
The SIEM features vendors offer vary greatly. Some products are lightweight and essentially act as centralized logging servers only, with little or no analysis and response capabilities. On the other end of the spectrum are highly advanced products that offer a wide range of security features to optimize reporting and incident detection and response activities. Because of the differences in features among SIEM systems and the substantial costs often associated with the most advanced features, every organization should determine which features are most beneficial to them as part of the product evaluation process.
Here are some of the most important SIEM features to look for:
- Easy integration with other enterprise security controls. It's becoming particularly important for SIEM systems to be able to give commands to other enterprise security controls. This can stop attacks in progress and reduce or prevent damage. Determine which enterprise security controls the SIEM system will need to direct. Then look for SIEM systems that offer integration with all of them.
- Threat intelligence feed usage. Most SIEM systems can ingest threat intelligence data indicating which IP addresses, domains, websites or other logical entities are currently associated with malicious behavior. Using a SIEM system that continuously receives the latest threat intelligence and effectively applies that information to identify potential problems is becoming necessary to keep up with the latest threats. A SIEM system that supports using the threat intelligence feeds of the organization's choosing, instead of mandating use of a particular feed, provides more flexibility and allows an organization to use the same feed provider across enterprise security controls.
- Robust compliance reporting. This should include built-in reports for common compliance needs and the ability to create new reports or tailor built-in reports to account for organization-specific requirements and characteristics.
- Forensics capabilities. Some SIEM systems are capable of capturing additional information about security events. This information may be useful for identifying attacks, investigating incidents and gathering evidence for disciplinary or prosecutory purposes. One such capability is called network packet capture, where the SIEM system monitors network traffic and records the headers and contents of packets of interest. Another helpful capability is supplemental logging, which is usually achieved by deploying SIEM agents to endpoint and mobile devices and configuring the agents to record information that the devices' built-in logging services can't get.
The bottom line
SIEM systems provide a centralized enterprise log management capability that can encompass security log collection, analysis, reporting, and incident detection and response. Most organizations today find SIEM systems absolutely necessary for finding the latest threats, stopping attacks before extensive damage occurs, gathering information to support incident response efforts and generating reports providing evidence of compliance with a variety of laws, regulations and other sets of requirements.
Each SIEM system provides a unique combination of features, with a great deal of variation from one vendor to another. Evaluating and acquiring the system requires an organization to determine which SIEM features are important and look for products that offer those. Organizations should strive to find a SIEM tool that offers the features they need, doesn't charge excessively for ones they don't need and provides an easy upgrade path for adopting additional features in the future.
Learn basic SIEM analytical steps
Mastered the basics? Learn advanced SIEM analytics
Is SIEM as a service the best route for you?