SIEM Essentials QuizRead More
Security Information and Event Management (SIEM) solutions use rules and statistical correlations to turn log entries, and events from security systems, into actionable information. This information can help security teams detect threats in real time, manage incident response, perform forensic investigation on past security incidents, and prepare audits for compliance purposes.
The term SIEM was coined in 2005 by Mark Nicolett and Amrit Williams, in Gartner’s SIEM report, Improve IT Security with Vulnerability Management. They proposed a new security information system, on the basis of two previous generations.
Security Information Management (SIM) – a first generation, built on top of traditional log collection and management systems. SIM introduced long-term storage, analysis, and reporting on log data, and combined logs with threat intelligence.
Security Event Management (SEM) – a second generation, addressing security events – aggregation, correlation and notification for events from security systems such as antivirus, firewalls and Intrusion Detection Systems (IDS), as well as events reported directly by authentication, SNMP traps, servers, databases etc.
In the years that followed, vendors introduced systems that provided both security log management and analysis (SIM) and event management (SEM), to create Security Information Event Management (SIEM) solutions.
SIEM security platforms can aggregate both historical log data and real-time events, and establish relationships that can help security staff identify anomalies, vulnerabilities and incidents.
The main focus is on security-related incidents and events, such as succeeded or failed logins, malware activities or escalation of privileges.
These insights can be sent as notifications or alerts, or discovered by security analysts using the SIEM platform’s visualization and dashboarding tools.
SIEM is a mature technology, and the next generation of SIEMs provide new capabilities:
User Event Behavioral Analysis (UEBA) advanced SIEMs go beyond rules and correlations, leveraging AI and deep learning techniques to look at patterns of human behavior. This can help detect insider threats, targeted attacks, and fraud.
Security Orchestration and Automation (SOAR) – next-gen SIEMs integrate with enterprise systems and automate incident response. For example, the SIEM might detect an alert for ransomware and perform containment steps automatically on affected systems, before the attacker can encrypt the data.
Want to learn more about SIEM?
Have a look at these articles:
In the past, SIEMs required meticulous management at every stage of the data pipeline - data ingestion, policies, reviewing alerts and analyzing anomalies. Increasingly, SIEMs are getting smarter at pulling data together, from ever more organizational sources, and using AI techniques to understand what type of behavior constitutes a security incident.
The Infosec Institute suggests 10 best practices for successful implementation of a SIEM platform.
Define requirements for monitoring, reporting and auditing, consulting all relevant stakeholders before deploying a SIEM.
Determine the scope of the SIEM – which parts of the infrastructure it will cover, necessary credentials, and log verbosity.
Define audit data accessibility, retention, how to achieve data integrity, evidentiary rules, and disposal for historical or private data.
Access monitoring – transgression and anomalous access to key resources
Perimeter defenses – status of perimeter defenses, possible attacks and risky configuration changes
Resource integrity – critical network resources – status, backups, change management, threats and vulnerabilities
Intrusion detection – incidents reported by intrusion detection, or correlated/inferred using SIEM data
Malware defense – violations, threats, or activity regarding malware controls
Application defenses – status, configuration changes, violations and anomalies for web servers, databases and other web app resources
Acceptable use – status, issues and violations regarding acceptable, mandated or metered use of system resources
The first SIEMs combined Security Information Management (SIM) and Security Event Management (SEM). They were limited in scale of data managed and supported alerting/visualizations.
An integrated SIEM based on big data infrastructure, managing and correlating historical log data, real-time events and threat intelligence in one place – providing a holistic view of enterprise security data.
Early SIEMs had limited ability to proactively warn about and react to complex security events. New SIEMs perform automated behavioral profiling (UEBA), and can automatically interact with IT and security systems to mitigate incidents (SOAR).
Integrates with IT and security tools, full Security Orchestration and Automation (SOAR) capabilities
If you'd like to see more content like this, visit the Exabeam Information Security Blog
SIEM Essentials QuizRead More
Evaluation criteria, build vs. buy, cost considerations and complianceRead More
SIEM under the hood - the anatomy of security events and system logsRead More
User and Entity Behavioral Analytics detects threats other tools can’t seeRead More
A comprehensive guide to the modern SOC - SecOps and next-gen techRead More
From correlation rules and attack signatures to automated detection via machine learningRead More
Beyond alerting and compliance - SIEMs for insider threats, threat hunting and IoTRead More
Security Automation and Orchestration (SOAR) - the future of incident responseRead More
How SIEMs are built, how they generate insights, and how they are changingRead More
Components, best practices, and next-gen capabilitiesRead More