Cybercriminals generally don’t slow down their pace and online attacks can be relentless. If you’re interested in real-time online threat data from the last 10 minutes, take a glance at the global threat landscape from Avira Labs here. A proactive approach to online protection is more essential than ever—and if you work in enterprise-grade security, you may have heard of “Security Information and Event Management”—mercifully shortened to SIEM. Yet what do these four little letters refer to exactly and what is SIEM comprised of? Plus, how does SIEM help in mitigating attacks? This article is a “SIEM 101” of sorts, and it’s a great place to start if you’re thinking of taking your security to the next level.
What is a Security Information and Event Management or SIEM solution?
Security Information and Event Management is more than just a single solution but combines software products and services from security information management (SIM) with security event management (SEM). These multiple components work together to collect and store activity from many different resources across the entire IT infrastructure—including from network devices, servers, domain controllers, and more. They also provide real-time analysis of security alerts generated by applications and network hardware, giving IT staff vital insight into trends, and helping them detect and mitigate cyberthreats. If an alert is issued, it can be quickly investigated.
The name of this blended solution, and it’s snappier acronym, was created in 2005 by Mark Nicolett and Amrit Williams of Gartner. Here is the official definition from the National Institute of Standards and Technology, if you’re interested: “An application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.” The key here is the “actionable”. “Action” is precisely what’s needed as cyberattacks become more prevalent and complex, and organizations must meet stringent compliance and regulatory mechanisms that require them to log security controls.
If you’re thinking “but what’s the difference between a SIEM and a firewall”—good question. They both offer security but perform different functions. SIEM is a cyberthreat detection and data collection tool. A firewall helps block malicious content from entering your network. So, it’s a cyberthreat prevention tool, while SIEM collects and analyzes log data from the firewall (and other network security solutions). Firewalls are an essential first line of network defense, but no protection is 100% effective. By raising an alert anytime suspicious network activity occurs, SIEM provides a more comprehensive overview of network operations. In a nutshell, it puts the “multi-layered” into the “multi-layered” security approach.
What does this easy-to-use, more comprehensive security cost? That’s more difficult to answer as the precise cost will vary depending on factors such as the size of the business and the volume of data that needs to be monitored. Many rough estimates put the price of a managed SIEM at between $5,000 and $10,000 per month. Some providers offer solutions that are self-managing, while others come with high consultation and support costs. Remember that licenses must typically be renewed annually and be expanded to cover growing data volumes.
Actionable insight: How does a SIEM security management system work?
At its core, SIEM is a data aggregator, plus a search, reporting, and security system. It can reside either in on-premises or cloud environments and follows a four-step process:
STEP 1: Collect data from various sources
STEP 2: Aggregate data
STEP 3: Analyze data for potential cyberthreats
STEP 4: Identify security breaches and issue alerts based on analytics that match a defined rule set
SIEM gathers vast volumes of data from the entire networked environment (think applications, security devices, antivirus filters, and firewalls), and consolidates and logs this data. It also categorizes data to make it accessible, helping to deliver insight across the IT environment.
Analyzing the huge volumes of data generated by all networked devices in real time would be beyond the capabilities of any mere human! SIEM solutions examine all data and use rules and statistical correlations to sort cyberthreat activity according to its risk level. This helps security operation centers (SOCs) identify malicious actors and attempt to mitigate cyberattacks. They can also recreate past incidents and learn from them or analyze new ones in real time to implement more effective security processes.
What are the advantages and disadvantages of SIEM?
The key advantage of SIEM is protection against virtual threats. Firewalls and antivirus systems are essential but not always enough to protect an entire network, especially against zero-day attacks. SIEM can be effective because every user leaves a virtual trail in a network’s log data—and so does every tracker or hacker. SIEM assesses activity against past behavior on the network, which helps it distinguish between legitimate use and a malicious attack.
Secondly, SIEM security also helps companies comply with industry cyber regulations. Log management is the industry-standard for auditing activity on IT networks, but keeping logs is a resource-intensive effort for security teams. SIEM can help provide automated compliance with data security regulations—and even delivers audit-ready reports on-demand. A win win!
Tempted? Before you race off to implement a SIEM, there are some cons to consider. It’s not as simple as buying and installing a SIEM tool. How well your SIEM system works depends on how it’s set up, configured, and monitored. Simply logging information without context is pointless. Also, analyzing and configurating SIEM reports requires technical expertise, or you’ll just end up with reams of data that doesn’t tell you anything. Time and technical expertise cost, so SIEMs can be expensive. There’s the implementation, annual support, and possibly additional staff to consider…
And did you know that if you fail to configure SIEM properly, it can generate thousands of false positives a day? In a nutshell, in the wrong hands, SIEM can be complex, costly, and confusing!
Let’s explore key SIEM tools
Gartner identifies the following three critical capabilities for SIEM systems: Threat detection, investigation, and time to respond. In addition, SIEM providers often offer other features and functionality, including:
- Basic security monitoring
- Advanced threat detection
- Forensics & incident response
- Log collection
- Normalization
- Notifications and alerts
- Security incident detection
- Threat response workflow
It’s important to evaluate your goals when choosing SIEM. For example, if your organization needs to meet strict regulatory requirements, generating reports will be a top priority. Are emerging online attacks your biggest concern? Look for excellent normalization tools and extensive user-defined notification capabilities.
How to get the most from your SIEM network and SIEM system
No two IT environments and threat landscapes are identical, so what’s right for one organization might not be ideal for another. However, when using a SIEM, it’s advised to follow these common practices:
- Ensure complete coverage: SIEM needs data from all relevant sources to function at its best. It may miss dangerous events if there is not complete visibility of the operating environment.
- Collect the right data: Data isn’t all created equal and feeding a SIEM with unimportant data will waste resources. Choose wisely—and regularly review rules and data flows.
- Automate where possible: Any analysis that can be performed automatically helps reduce the load on a human team, freeing them up to investigate alerts more thoroughly.
- Assign alert levels: A threat to an employee laptop is not as important as the potential shutdown of critical systems. The alert level should be based on the importance of the system being attacked.
- Stay up-to-date on cyberthreats: Knowing what’s out there will help you make educated decisions about your SIEM configuration. Rules and alerts based on attacks with known signatures are excellent at helping prevent existing cyberthreats. But anomaly-based rules can help identify even unknown cyberthreats. Learn what’s “normal” for your environment and prime your system to identify any deviations.
Meet some top players in the SIEM space
There are many options when it comes to choosing SIEM security and SIEM tools. Here are a few big names in the field.
Splunk: This on-premises SIEM solution was named a leader in the 2022 Gartner® Magic Quadrant™ for SIEM®. It supports security monitoring and provides advanced threat detection capabilities.
IBM QRadar: Deploy this SIEM as a hardware appliance, a virtual appliance, or a software appliance, depending on your organization’s needs and capacity.
LogRhythm: LogRhythm is a popular choice for smaller organizations and offers trusted threat detection and response capabilities.
Explore a more complete list of providers and see how they rate in the Gartner Security Information and Event Management (SIEM) Reviews and Ratings here.
What does the future of SIEM look like?
We live in a brave new world of automation, AI, and cloud infrastructures. Companies demand highly effective, scalable—yet cost-effective—solutions, and teams of analysts doing battle from behind an array of monitors is quickly coming to an end. So, what might next-gen SIEM solutions look like? According to Forbes, usage-based pricing models will become the norm, and companies will only pay for the data processed each month. Cloud services will continue to reduce the cost and complexity of SIEM. Simplicity will be key, reducing start-up times, and making next-gen SIEM more accessible for all. Security companies will build specific analysis tools on top of a universal SIEM data platform. This will allow them to focus on specific verticals to produce robust software that is even more high-quality and scalable.
Better security that’s faster, flexible, and more affordable? The future looks rosy indeed.