Security information and event management (SIEM) technology helps organizations detect, prioritize and respond to an endless number of security threats in real-time. SIEM acts as a central repository for all security-related information. This includes events from firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), application logs, web proxy server logs and more.
The purpose of a SIEM system is to collect data from multiple sources, correlate it with other data, analyze the results using correlation rules and produce reports based on thresholds set by network administrators. The process starts with the collection of log files or syslog messages that are sent to the SIEM server over either UDP or TCP port 514. Once these log files are collected into a central database, they can be analyzed
How a SIEM works
A SIEM is a system that consolidates security-related information like events and alerts from network devices such as firewalls, intrusion prevention systems (IPS), routers and servers, into a central database.
The data collected by the SIEM consists of both structured and unstructured information. Structured data typically comes from sources such as IDS and IPS logs while unstructured data typically comes from sources such as firewall logs, proxy server logs and application server logs. By correlating unstructured with structured data, the SIEM can correlate events across multiple security domains to find patterns or create reports based on thresholds set by administrators.
When an administrator is alerted about a security event, they may generate more logs by running queries against the SIEM to find out if it was a false alert. For example, after receiving an email from the firewall that there was a new attack on port 80, he or she might query for all alerts involving port 80 and see that no other computers were attacked on any other ports.
Top 5 things every it person should know about SIEM
- SIEM consolidates security-related information from various devices such as firewalls, IDS/IPS, routers and servers into a central database. Because this type of network device typically does not share log information with each other out of the box (WMI, syslog), one of the purposes of a SIEM system is to collect data from multiple sources into a central database.
- SIEM provides reports based on thresholds set by network administrators. The purpose of a SIEM is to consolidate and analyze security-related log events, generate reports and raise alerts based on preconfigured thresholds or rules that were developed by network security professionals. A SIEM system does not replace the need for a skilled security analyst; rather it makes an analyst’s job easier by providing them with more information than they may have had access to in the past. When users sign up for service with most cloud services providers such as Office 365 they are given an initial warning that alerts will be sent via email but many don’t realize just how much information will be sent including account and authentication failures, application and service errors and more. It’s important to understand not only the alerts that will be sent but also what information will be provided in those alerts.
- SIEM provides metrics reports such as top talkers (top hosts generating the most traffic), protocol distribution (percentage of HTTP vs HTTPS) or top applications (e.g., Skype). A user should understand what type of reporting a SIEM does before signing up for service with a cloud services provider because it can provide valuable insight into operations and problems within an organization. For example: A new vulnerability is discovered for a popular WordPress plug-in and exploits start surfacing on websites running this plug-in, an alert may be generated by a SIEM system. When the alert is received it could have an HTTP header attached to the alert providing who/what/when/where information of the event without having to open the full alert in a browser.
- SIEM provides forensics by collecting data for future analysis and troubleshooting. Gathering security-related log events may take time, but this information can be invaluable when trying to troubleshoot problems after an attack or incident has occurred because it allows network analysts/security experts to go back into past alerts, look at trends over time and identify potential attacks that were thwarted by their detection capabilities within their SIEM system.
- SIEM needs maintenance. If your organization doesn’t have skilled network security professionals on staff, you will want to ensure that your SIEM vendor is providing regular maintenance and updates/patches. The very last thing you would want is for data collection and analysis features to stop working because an administrator neglected to configure a timely update schedule for their SIEM system.
Use cases for SIEM
Web application security
SIEM provides a way to detect when web applications are attacked by looking at the logs of multiple devices in a network and correlating them together in a central location.
SIEM makes log management easier, it is able to collect all the logs from different types of devices in your network and make it easy for an administrator to find important data in those logs.
Successful SIEM implementations can be used to search across logs on all the devices on the network for internal threats such as rogue employees acting maliciously or poorly trained employees opening phishing emails that could result in bad things happening such as malware being downloaded onto an organization’s computers or sensitive data being leaked.
SIEM can be used to find malware on your network by watching for malicious activity in logs from all the different devices within your network or cloud infrastructure. An administrator would then be able to respond faster when a new threat is discovered because they have visibility into all of their systems, not just one.
Many SIEM platforms are now able to help administrators manage the lifecycle of the core information security components on their networks, such as firewalls and intrusion prevention/detection systems (IPS/IDS). A SIEM solution should make it easy to review device logs remotely with rich visualizations that provides real-time data about the health of these devices so an administrator knows which ones are not functioning correctly.
Why you should have one
One of the best reasons for organizations to get a SIEM platform is because it adds another layer of protection between your organization and the outside world. In order to establish connectivity from an attacker’s computer or network to any critical systems on an organization’s network, they must successfully compromise one or more devices within the network/cloud infrastructure. If a SIEM system detects anomalous behavior by a compromised system, then it can generate alerts that can be used by administrators to stop these types of attacks in real-time while they are occurring.
An additional benefit of using a SIEM solution is being able to aggregate logs from many different sources into one central location where all security teams have access to the same data, which allows them to detect new threats faster since they are no longer searching in silos.
The benefits of having a SIEM
Detects anomalous activity
SIEM allows you to detect the behavior of an attack in motion. It does this by taking logs from multiple devices and then analyzing them with a rules engine that is looking for attacks based on what your organization defines as malicious behavior against mission-critical systems. SIEM alerts administrators when it detects anomalous activity like: zero-day vulnerability exploit attempts, BEC (Business Email Compromise), and Credential stuffing attacks.
Provides visibility across your entire network/cloud infrastructure
One of the key benefits of using a SIEM solution is providing visibility into all areas of an organization’s network or cloud infrastructure. Security teams need to be able to see the same logs that their colleagues in different parts of the organization see, otherwise they’ll be out of sync on what is going on and you’ll have a gap in your security posture.
Accelerates detection of compromised systems
A SIEM solution can detect compromised devices on an organization’s network by correlating events from different parts of the network together. It’s able to do this because it collects logs from all devices on a network/cloud infrastructure and then uses those logs as inputs into its correlation rules engine that identifies attacks as they are being carried out by attackers.
Provides actionable threat intelligence
An additional benefit of using a SIEM solution is providing actionable threat intelligence that has been correlated from across an entire network or cloud infrastructure for use within SIEM dashboards. This allows administrators to prioritize threats by severity and enables them to get a better understanding of the type of attack being performed so they can create strategies for mitigating these attacks before it has a negative impact on an organization’s critical systems.
Dramatically increases incident response times
SIEM acts as a central location where security teams can easily search across all events in real-time in order to take the best course of action when performing incident response. It gives security teams full visibility into what is happening in their network, who is doing it, and why, which allows them to make adjustments very quickly when needed to minimize risk exposure for an organization’s critical systems.
Improves user behavior analytics (UBA) security intelligence
SIEM can be used to instrument UBA security intelligence for your organization by correlating data from human behavior analytics (HCA), machine learning, and SIEM sources. This forms a more complete picture of what is happening on an organization’s network or cloud infrastructure.
Provides operational analytics
SIEM gives security teams the ability to get a better understanding of what is going on in their organization so they can take proactive steps towards increasing security posture before a breach occurs. Without comprehensive, centralized visibility across all areas of an organization’s network or cloud infrastructure, security teams have no way of knowing if there are gaps in their current security mechanisms, which ultimately could result in increased risk exposure for critical systems within an organization.
Things to consider before purchasing a SIEM system
SIEM is a complex solution, so it’s important to have a good handle on what needs a SIEM solution will try to provide before purchasing one. If you don’t have all the answers to these questions before making a purchase decision, you could find yourself with a very expensive product that doesn’t address all of your security team’s challenges and pain points.
- Determining what type of data you want to monitor (e.g., Active Directory, LDAP)
- How many devices do I plan on monitoring?
- Who will build/maintain rules?
- What kind of aggregation and reporting do I need?
- Do we require encryption between the SIEM and other platforms like AWS for Elastic Search (ES)?
- What kind of user interface do I need?
- How big is my security team?
- Is my organization ready to have a SIEM solution in place?
- Does our current architecture support the number of logs that will be coming into the SIEM system?
Frequently asked questions about security information and event management (SIEM)
Is a SIEM the same as UBA?
No, although both technologies are often used together. A SIEM solution focuses on ensuring that all devices across your network/cloud infrastructure are secure through monitoring logs and generating alerts based on suspicious activity. UBA is a security intelligence solution that uses both machine learning and user behavior analytics to provide insights into how users are behaving on your network or cloud infrastructure, which can be especially helpful for detecting insiders who may pose a risk to an organization’s critical systems.
What do SIEM solutions look for?
SIEM solutions are capable of monitoring many different types of logs provided by your organization including but not limited to Active Directory logins, Windows event logs, firewall logs, web proxy logs, NetFlow data, AWS CloudTrail data, DNS logs, VPN access logs, web access logs (Apache/Nginx etc.), database backend server logs (e.g., MySQL), application logs (e.g., Java/.NET), and security information events that are generated by third-party products.
In other words, a SIEM solution can help you monitor all critical areas of your organization’s network and cloud infrastructure.
What is the difference between a SIEM system and EDR?
SIEM is a type of security monitoring tool that consolidates multiple sources of data from different parts of an organization’s infrastructure into one centralized location. An EDR, or Endpoint Detection and Response, tool uses both machine learning and user behavior analytics to detect suspicious activity on individual endpoints. EDRs are frequently used as part of an incident response process after the fact to help determine what happened during a suspected security incident (e.g., such as files accessed, unusual outgoing traffic etc.). The main difference between the two technologies is that EDRs provide insights into the past, while a SIEM system provides insights into what’s happening now as well as helping to predict future issues.
If I have a SIEM solution in place, do I still need a UBA solution?
Yes. While a SIEM can help you monitor all critical areas of your organization’s network and cloud infrastructure, UBA is a powerful security intelligence technology that utilizes both machine learning and user behavior analytics to provide insight into how users are behaving on your network or cloud infrastructure. This insight is especially helpful for detecting insiders who pose an elevated risk given their privileged access to critical systems. In other words, there is strength in numbers – combining these two technologies together will strengthen your ability to detect potential threats in your network.
How do I know if my SIEM solution is capable of detecting advanced attacks?
Enterprises are increasingly seeing cyber-attacks getting more sophisticated over time, requiring security solutions to be equally, if not more complex. Traditional SIEM systems may have trouble keeping up with these new types of sophisticated attacks because they’re usually made up of very rigid rule sets that require teams of SOC analysts to manually configure in order to detect suspicious activity. The below capabilities are essential for any modern SIEM solution looking to be effective at protecting organizations against the most cutting edge threats:
- Ability to import custom attack scripts so you can quickly adapt to new attack methods as they emerge (e.g., malware macros)
- Ability to analyze commands that reside inside script files
- Ability to detect non-malware threats including Macros, PowerShell, Email attachments etc.
- Ability to detect botnets and other types of malware
What does a SIEM solution not do?
A SIEM solution is only as good as the rules and regulations that help guide it. For example, if your organization’s security policy states that all users must be alerted when an end-of-the-year report is exported to excel but your existing SIEM solution doesn’t include this type of regulation, you may run into issues providing the additional level of protection that you are trying to achieve with a SIEM system. A second common issue occurs when organizations fail to keep their rules up-to-date which can result in gaps within their network monitoring coverage. To avoid these pitfalls, always work with an experienced IT security professional who can help build a SIEM solution that is tailored to your organization’s unique needs.
How do I maintain a SIEM solution?
SIEM systems require frequent maintenance in order to ensure they’re providing the best protection possible within an organization’s security infrastructure. On average, organizations should expect that 1-2% of their enterprise security budget will be devoted to maintaining its SIEM solution over time. The below suggestions for maintaining a SIEM solution are recommended as part of a proactive approach:
- Periodically review and update rules based on business requirements and changes within your industry/product lifecycle
- Install new threat intelligence feeds from trusted sources as soon as they become available so you can immediately take advantage of the latest threats
- Continue running regular security reports to monitor how well your SIEM solution is performing against several KPIs including accuracy, compliance and latency
What if a high priority threat occurs and I don’t have time to update my rules?
In a perfect world, all organizations would be able to keep their SIEM solution accurate at all times but this is not always feasible. In these cases, there are two approaches for dealing with threats that you suspect may have been missed by your SIEM solution:
- Activate an override feature within your SIEM system so critical alerts can be sent out during a short-term issue until it can be addressed/fixed after hours
- Use an alternate solution to send out critical alerts if your SIEM solution can’t keep up with the demand or is temporarily down
What are three common challenges faced by organizations implementing a SIEM solution?
There are several challenges that need to be considered before implementing a SIEM solution within an organization’s security infrastructure. Below are three of the most common issues:
- Cost – many companies underestimate how much their implementation will cost in terms of maintenance (e.g., staffing, licensing, hardware)
- Complexity – many organizations don’t consider how much work it will take to implement and maintain their SIEM solution over time
- Accuracy – managing false positives across an entire organization can be very challenging if not done correctly
What happens if my SIEM system fails to detect a critical threat?
If your SIEM system fails to detect threats due to gaps within your network monitoring coverage or outdated rules/compliance regulations, the longer it takes for you to find out about the issue the more damage that can be done. According to Verizon’s “Data Breach Investigation Report”, 63% of hacking-related breaches are discovered by third parties which is why it’s important to monitor not only your SIEM system but also external sources (e.g., social media, law enforcement agencies, etc.) for signs of an incident that may not yet be affecting your organization directly.
What is the value to an organization if its SIEM solution can detect a breach before it happens?
Time and time again we’ve seen how fast attackers can move across a network to exfiltrate as much data as possible. Even with advanced detection tools/services compromises still happen due to the fact that many security devices were never meant to work together and lack proper threat sharing capabilities. According to Verizon’s 2015 Data Breach Investigations Report, 39% of hacking-related breaches occurred within minutes making it clear that companies need to be able to detect threats before they cause any major damage.
Is there a recommended amount of time it should take for a SIEM solution to activate and apply new threat intelligence feeds?
Implementing a new threat intelligence feed within your SIEM system can be somewhat time-consuming depending on the size and complexity of your organization. According to Kenna Security, most organizations surveyed only activated threat intelligence feeds within their SIEM solutions after seeing signs of an attack on their network. This is why it’s important to continuously monitor for new threats across multiple sources through advanced correlation rules so you can stay ahead of threats before they become big issues.
In general, how has SIEM technology evolved in recent years?
As attackers continue to find new ways to bypass traditional security measures (e.g., malware-less attacks, ransomware, etc.), organizations are starting to realize that traditional security measures aren’t enough. This is why more organizations are starting to deploy SIEM solutions into their networks which not only integrate with advanced technologies such as machine learning, cloud services, behavioral analytics, and others but also provide actionable security insights through advanced correlation rules.
What are the top three biggest misconceptions about SIEM?
- SIEM solutions are effective ways to find all abnormal behavior occurring within a network. Many companies see SIEM as an automated way of finding “suspicious” activities taking place on their network without realizing that it’s not designed to replace human intelligence or hunting for signs of compromise. Instead, effective detection should be achieved by minimizing the number of false positives and correlating all suspicious activities to determine whether they’re part of a bigger attack.
- SIEM is highly effective for preventing cyberattacks before they happen. SIEM should be looked at as an additional layer within your security operations center (SOC) and not the mainline of defense against cyber attacks. It’s important to remember that every SIEM solution was designed with key functions in mind such as event management, normalization, correlation, and enrichment which can lead to many false positives if used incorrectly. Instead, organizations should look at their SIEM system as a way to quickly identify signs of compromise or malicious activity after it has already taken place and then add this information into the hunting cycle so analysts can take appropriate actions/countermeasures to prevent attacks from reoccurring.
- SIEM solutions can monitor and detect all suspicious activity occurring within a network. According to the Open Web Application Security Project (OWASP), it’s estimated that there are at least 160 different types of threats that can target applications including malware, SQL injection, cross-site scripting, remote code execution, session hijacking, man-in-the-middle attacks, etc. This is why it’s important to make sure you have a detailed understanding of each type of threat before deploying a SIEM solution into your environment as it will be more effective for detecting specific threats rather than everything under the sun.
What are some common criteria used by companies when selecting a SIEM solution?
The first criteria that companies look for when selecting a SIEM solution are whether or not it can detect cyberattacks before they happen. This typically involves the SIEM solution having advanced features such as anomaly detection, machine learning algorithms, behavioral analytics, and much more.
The second criterion used by companies when selecting a SIEM solution is whether or not it provides actionable insights. This typically involves the SIEM solution being able to integrate with technologies such as advanced DNS services, threat intelligence feeds, etc. so that analysts can instantly see which security events are associated with other internal events within their environment.
The third criterion used by companies when selecting a SIEM solution is if it has an easy way of deploying new rule-sets into their system without requiring high knowledge of security/networking concepts.
What are some common ways that SIEM solutions can help prevent cyber-attacks?
SIEM solutions can help prevent cyberattacks by assisting organizations in seeing what’s normal vs. abnormal behavior taking place on their network. This helps analysts determine the effectiveness of different security controls within an environment as well as if there are any existing threats or vulnerabilities which could lead to a compromise later on down the road. Additionally, some SIEM solutions are capable of analyzing machine data alongside user-generated data to give organizations more information about suspicious activities occurring within their network which also leads to less false positives being triggered within their system, thus ensuring all security events are actionable for both technical users and non-technical users alike.