What is Security Information and Event Management (SIEM) : How does SIEM Work? - Tutorial Boy -->

What is Security Information and Event Management (SIEM) : How does SIEM Work?

What is SIEM

SIEM is an umbrella term for security software packages ranging from Log Management Systems to Security Log / Event Management, Security Information Management, and Security Event correlation. More often than not these features are combined for a 360-degree view.

From a high-level perspective, we can assume SIEM Tools as software that gets in tons of log data from various Network Devices like Servers, Intrusion Detection/Prevention Systems, Firewalls, Domain Controllers, Endpoints and process them in such a way that we can easily analyze the provided information to gain insights particularly security-related events in real-time.

How did it evolve?

LMS + SIM + SEM = SIEM

  • SIM - Security Information Management

SIM is a first-generation system that provides historical analysis and reporting for security event data. This requires event and data collection/correlation (but not in real-time), an indexed repository for log data and flexible query and reporting capabilities.

  • SEM - Security Event Management

SEM is a second-generation system that provides real-time monitoring and event management to support IT security operations. SEM requires several capabilities: event and data collection, aggregation and correlation in near real-time; a dynamic monitoring/security event console for viewing and managing events; and automated response generation for security events.

  • LMS - Log Management System

Log management apps can be categorized into Log Analysis Tools, Log Monitoring Tools, and Log Management Tools. There are no limits on the storage of logs in the log management app. It depends on the plan availed by the customer. Similarly, the duration for which logs can be retained depends on the plan that you select.

Below are the sources that I referred to learn more about SEM and SIM.

How does SIEM work?

SIEM tools work by gathering event and log data created by host systems, applications and security devices, such as antivirus filters and firewalls, throughout a company's infrastructure and bringing that data together on a centralized platform. The SIEM tools identify and sort the data into such categories as successful and failed logins, malware activity and other likely malicious activity.

The SIEM software then generates security alerts when it identifies potential security issues. Using a set of predefined rules, organizations can set these alerts as a low or high priority.

Working on a SIEM

Below is the depiction of how a SIEM works.


Source: Innominds.com

SIEM Tools collect and store huge amounts of data from various Network Devices. After storing the data, they consolidate and categorize them based on the activity Then filters it through the policies and rules that are designed by the administrator and finally provides us with the report in the form of alerts, dashboards, etc.

The entire process is taken care of SIEM components.


Source: Innominds.com

But as the world grows every day, the current generation SIEM is not able to withstand the amount of complex data. So, the Next-gen SIEM Tools come in place. 

What’s the difference between the Current-gen and the Next-gen SIEM Tools?

  • Open and scalable architecture
  • Real-time visualization tools
  • Big data architecture
  • User and entity behaviour analytics (UEBA)
  • Security, orchestration, and automation response (SOAR)
  • Network Traffic Analysis (NTA)
  • Out of these, the most notable features are UEBA and SOAR

User and entity behaviour analytics (UEBA) - Solution for monitoring behavioural changes in user data to detect anomalous instances when there are deviations from “normal” patterns. It enables a deep understanding of threats such as social engineering and account compromise, which helps security analysts visualize threats and understand their context.

Security, orchestration, and automation response (SOAR) - Technology that automates routine, manual analyst actions to increase operational efficiency throughout the incident response workflow.

Sources:
Use cases of SIEM



Source: Varonis

Following are some of the use cases,

  • Performs basic security monitoring
  • Helps organizations to comply with different regulations such as PCI, HIPAA, GDPR.
  • With the help of UEBA, SIEM tools look for possible Insider Threats
  • Discovers compromised accounts by looking for Malware communications
  • Helps in Threat Hunting by providing data and context of suspected incidents
  • Detects Data Exfiltration by analyzing large data transfers, data transferring to an unknown user.
  • Zero-Day Threat Detection with the help of Behaviour Analysis
  • Helps to map operations with existing Frameworks

What to Look for in the Best SIEM Solutions

SIEM products have a few basic characteristics. They ingest data from multiple sources (including threat intelligence), then interpret that data, send alerts, perform analytics, and provide a historical overview or summary. Of course, when it comes to choosing a SIEM security solution, every business will have its own criteria for deciding whether the capabilities of a tool align with its needs. This will depend on factors like business size, types of data, vendor array, specific regulatory frameworks, budget, and, of course, an IT team’s usability preferences. There are a few questions you’ll want to ask as you check out the best SIEM tools in the market.

  • Will the tool actually improve your log collection abilities? 
    • This is basic, but important, as you want software that enhances how you collect and manage logs. Look for compatibility across systems and devices — and it never hurts to have a dashboard with user-friendly features.
  • Will the tool allow you to achieve compliance? 
    • Look for a tool that helps with auditing and reporting. Even if you’re not concerned with compliance now, you should be. A SIEM tool is a great way to step up your game in this area.
  • Is the threat response workflow set up to help you manage past security events? 
    • One of the major advantages of a SIEM tool is that it allows you to get an overview of past events, analyze what happened, and instruct the system to use historical patterns to inform its activity moving forward. Look for helpful, drill-down analytics capabilities.
  • Does the tool provide the fast, effective, automated responses you need?
    •  First, it’s critical that incident response time is fast enough. Additionally, customizable security alerts can really make your life easier. You want to be able to turn away without wondering whether you’re neglecting a major issue. Make sure alerting is a priority within the tool.

Top SIEM Solutions

  • SolarWinds
  • Splunk
  • Micro Focus ArcSight
  • DataDog
  • OSSEC
  • AlienValut USM
  • McAfee
  • LogRhythm
  • AT&T
  • RSA NetWitness
  • IBM QRadar

If you want to know SIEM in-depth, below is the curated list of sources (including those mentioned above). Hope this helps you.