The
Essential Guide to SIEM

SIEM Overview

Security information and event management (SIEM) gives you a comprehensive view of your network through a wide lens that which cannot be provided by a single information source or security control. In this brief guide, we will walk you through the key characteristics of SIEM so you can learn how they work and what benefits SIEM security can offer you.

In this page:

What is SIEM?

Security information and event management (SIEM) software is a security information system that analyzes security alerts and data generated from devices on a network in real time. Organizations use SIEM tools to identify security incidents, log security data, manage incident response, and generate reports for compliance.

SIEM combines security information management (SIM), a first generation system that uses long term storage, analysis, and reports of log data; and security event management (SEM), a second generation system that includes correlation of events, notifications, real-time monitoring, and console views.

SIEM tools use correlation rules and statistical techniques to convert events and log entries into useful and actionable information.

Key features of a SIEM security solution includes:

  • Near-real time visibility—of an organization’s security system through dashboards and other visual aids.
  • Data consolidation—from various sources through event log management
  • Events correlation—using boolean logic rules to add intelligence to raw data
  • Automating security event notifications—analyzes security events and sends alerts to notify issues in real time.

How do SIEM tools work?

The SIEM collects and analyzes log data to detect suspicious activity that may indicate the presence of a threat. This process works in three stages:

  • Collect the data—SIEM tools start by collecting and aggregating log data from the network of an organization, including security devices, systems, and applications.
  • Consolidate and categorize—the system consolidates the logs into categories, separates successful and failed logins, malware activity, exploit attempts, and port scans.
  • Analyze—these categorized events are contrasted against the preset correlation rules to check if there is suspicious activity. If there is a discrepancy, the system sends an alert warning of a potential security threat.

SIEM security can identify threats by comparing multiple events, which wouldn’t trigger a security alert if considered by themselves.

The Benefits of SIEM Security

 

Compliance
Organizations can use SIEM tools to comply with regulations for PCI, GDPR, HIPAA, and SOX. In the following table we group the ways SIEM help companies to comply with the different regulations:

Regulation SIEM Security solution
PCI, HIPAA Detects unauthorized network connections
PCI, HIPAA Detects threats in real time
SOX, HIPAA Monitors network traffic and identifies known attackers, vulnerabilities and malware
PCI, HIPAA Audits and reports
GDPR Monitors log data
GDPR, HIPAA Monitors changes to credentials
GDPR Notifies security team of breaches
HIPAA Identifies new critical systems, monitors access to system files
HIPAA, SOX Monitors employee access and authentication
SOX Controls employee access to data
HIPAA, GDPR Monitors changes to data policies

 

Insider threat detection
SIEM tools help reveal insider threats by applying user and entity behavior analytics (UEBA).

Organizations can use this tool to:

  • Detect suspicious activity—of a user, or employee, for example, repeated attempts to log in, or changing permissions without authorization.
  • Discover a compromised user account—by detecting malware communication, using threat intelligence to analyze network traffic.

Advanced security
SIEM solutions help with threat hunting, data exfiltration, and Internet of Things (IoT) security, by delivering alerts that provide data to investigate a suspected incident:

  • Threat hunting—provides alerts containing data and context to investigate a suspected incident, identifies anomalies and vulnerabilities in the network, uses threat intelligence to detect attacks and checks for similar past incidents.
  • Data exfiltration—monitors network traffic for large data transfers when the target is unknown and identifies systems transmitting data to unknown users, including anomalies indicating exfiltration via mobile.
  • IoT—detects vulnerability in devices, unusual traffic and data flows identifying compromised devices and alerting security staff.

Zero-day threats detection
A zero-day vulnerability is a software or hardware flaw unknown to, or unaddressed by, the manufacturer. When adversaries exploit that flaw to conduct a cyber attack, it is called a zero-day exploit or zero-day attack.

SIEM security helps to identify zero-day threats by detecting the behavior associated with the attack. For example, a PDF exploit causes the Adobe Reader to crash in most cases, generating a process that will connect with the attack via an inbound or outbound connection.

A SIEM can be programmed to detect traces of this activity, keeping track of processes and network connections, comparing activity with network machines, and detecting attacks.

Conclusion

SIEM addresses the key processes of cybersecurity, establishing an all-in-one solution to detect advanced threats. SIEM functions include automating log monitoring, correlating data, recognizing patterns, alerting, and providing data for compliance and forensics. With cyber attacks becoming more numerous and sophisticated, SIEM tools provide a safety net that can catch threats left undetected by other solutions.

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog

Subscribe

CH04

UEBA

User and Entity Behavioral Analytics detects threats other tools can’t see

Read More