Security information and event management technologies provide businesses with security-event log management capabilities,...
including log monitoring, analysis, reporting and centralized storage. SIEM analysis is conducted for a variety of reasons, including review of long-term historical security trends, short-term review of incidents in support of investigations and real-time analysis of current attack attempts.
SIEM platforms monitor and analyze enormous volumes of security event data on a continuous basis. This removes a huge burden from human security analysts, freeing them to focus on those analysis-related tasks that are most improved through human involvement. For example, SIEM platforms are not infallible, and they may make decisions based on an incomplete or inaccurate understanding of the data they receive and analyze. Some of the data that SIEM products receive may even be erroneous. People who review the results of SIEM analysis may be able to quickly identify errors -- both false positives and false negatives -- and ensure that the right actions are taken.
It's important that any SIEM system have an analysis interface for security professionals. This interface should allow users to quickly verify the SIEM analysis conclusions by making all the supporting information conveniently available. It should also enable them to use SIEM to find patterns in the security data that the SIEM tool could not find on its own. And, of course, it should also allow them to perform their own investigations.
The heart of SIEM interfaces for human analysis is search capabilities. All SIEM tools have basic search capabilities, such as allowing a person to enter an IP address and then displaying a list of recent security events involving that address. Although this is certainly useful, search can be a much more powerful tool.
Here are search features to look for that will aid SIEM analysis:
- Flexibility in simple searches. Although it's usually more common to be searching within a particular data field -- such as IP address, username or application -- there are times when an analyst wants to search for a particular value in any data field. Robust SIEM will support both types of searches.
- Usable and powerful complex search capabilities. Ideally, SIEM should provide both a GUI that makes it easy for analysts to perform complex searches and a search or query language such as SQL that enables analysts to write and run complex searches. This combination allows analysts of all skill levels to do searches.
- Choices in the search output format. A list of results is the typical default format, but there are many other possibilities, including a variety of charts, graphs, network flow diagrams, gauges, and even maps. These graphical output options are generally known as data visualization capabilities. Under different circumstances, one or more of these data visualization forms may be valuable to users for identifying anomalous activity.
- Search scheduling. An analyst may want to write a search and schedule it to run automatically on a regular basis to identify specific activity. For example, an analyst may write a search designed to find servers that show the same signs of attack that an already-compromised server had.
If a SIEM product does not offer sufficiently usable and robust search capabilities, it may be prudent to acquire a separate tool that can perform the necessary searches on the SIEM data or a copy of the data. In some cases, using a separate tool may even be preferable because the searches can be performed on a separate server, reducing the load on the SIEM system itself.
Read more about how to evaluate and decide on a SIEM product
SIEM history: How SIEMs developed
How SIEM benefits enterprises