What is SIEM Security?
A security information and event management (SIEM) system is the foundation of most security processes in the modern security operations center (SOC). A SIEM saves security analysts the effort of monitoring many different systems and brings together their vast amounts of log data to form a coherent picture.
SIEM security refers to the integration of SIEM with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems. A SIEM also pulls in logs and event data, analyzes them, and generates alerts when it identifies activity that might be a security incident.
Figure 1: SIEM structure and SIEM security
SIEM Security Evolution
Analysts identify three generations of SIEM security capabilities and technologies:
- The first generation of SIEMs, introduced in 2005, combine log management and event management systems, which were previously separate. They are limited in the scale of data they can process and in the sophistication of alerts and visualizations they generate.
- The second generation of SIEMs was better equipped to handle big data—large volumes of historical logs. Such SIEMs can correlate historical log data with real time events and data from threat intelligence feeds.
- The third generation of SIEMs, proposed by Gartner in 2017, combine traditional SIEM capabilities with two new technologies. These are user and entity behavior analytics (UEBA), which uses machine learning to establish behavioral baselines of users or IT systems, and identifies anomalies. This includes security automation, orchestration and response (SOAR) which can help analysts quickly investigate incidents and activate security tools to automatically respond to an incident.
For more details on the evolution of SIEM and SIEM security, see our in-depth guide What is SIEM, which is part of our Complete Guide to SIEM.
Over the past two decades, SIEMs have proven themselves as a powerful and effective infrastructure for security teams. At the same time, SIEMs have been notoriously expensive, challenging to implement and use, and difficult to scale. Originally, SIEMs were only an option for large, mature security organizations.
These challenges have been addressed by newer generations of technology, which are easier to adopt and use, require less computing resources, and leverage low cost storage. SIEM security solutions are also offered as a service in the cloud, and via managed security service providers (MSSP), offering multiple deployment options that balance cost with ease of implementation.
UEBA in Modern SIEM Security
User and entity behavior analytics (UEBA) is a new category of security solutions that can identify behavioral baselines and spot anomalies which might indicate security incidents. UEBA can detect security incidents that other tools can’t see, because they rely on predefined patterns or static correlation rules. Third-generation SIEM solutions come with UEBA capabilities built in.
Here are some common use cases of SIEMs with UEBA technology:
- Malicious insider—A user account with privileged access to IT systems that is abused by the account owner for personal gain. Insider attacks can be devastating and are invisible to most security tools. UEBA establishes a baseline for each user’s behavior and can detect suspicious events that might indicate malicious intent.
- Compromised insider—An attacker who gains control of a user account and uses it to perform reconnaissance, plan, or actually attack organizational systems. UEBA can identify that the user account is behaving differently from normal and alert security staff.
- Incident and alert prioritization (alert triage)—SIEM security alerts are a huge burden on security analysts and alert fatigue is a challenge. UEBA can help reduce the burden of prioritizing alerts. It does this by combining alerts and signals from many tools, ranking alerts and incidents based on the amount of anomalous behavior (their risk score), and adding layers of contextual data about the organization, for example, services or user accounts that access sensitive data.
- Data loss prevention (DLP)—DLP tools, like traditional SIEMs, create a high volume of alerts about every unusual event related to an organization’s sensitive data. UEBA tools can prioritize and consolidate DLP alerts by calculating risk scores using data from multiple tools, indicating which events represent anomalous behavior. UEBA can also place a DLP alert on an incident timeline, helping validate and investigate incidents.
For more details, see our in-depth guide to User and Entity Behavior Analytics, part of our Complete Guide to SIEM.
SOAR in Modern SIEM Security
Security orchestration, automation and response (SOAR) systems, another new technology bundled with third-generation SIEM solutions, have the following key capabilities:
- Orchestration—SOAR integrates with other security solutions, allowing them to retrieve data and also proactively perform actions. For example, it can investigate whether an email sender has a bad reputation by using a DNS tool to confirm the origin of the message.
- Automation—SOAR enables users to define security playbooks, which are codified workflows of security operations. When a known type of security incident occurs, the playbook can be activated and mitigation action can be taken automatically, such as scanning a file identified as malware and detonating it in a sandbox.
- Incident management and collaboration—When a SIEM generates a security alert, the SOAR component of the SIEM can add contextual information and evidence to help analysts investigate the issue, and organize this information in an incident timeline to make it easier to understand. They also allow analysts to collaborate and add insights or additional data that they discover as part of their investigation.
For more details, see our in-depth guide to Incident Response Automation and Security Orchestration with SOAR, part of our Complete Guide to SIEM.
Evaluating SIEM Software
We recommend the following stages in evaluating a SIEM solution:
1. Next-Gen SIEM Features
Third-generation SIEM security solutions offer the most value and also lower implementation and operation costs. Check if a solution offers:
- UEBA—advanced analytics to determine behavioral anomalies
- SOAR—automation and orchestration of incident response
- Dashboards and visualizations
- Flexible searching, querying, and data exploration
- Long term data retention and unlimited scalability
- Threat hunting interface
2. Open Source vs. Commercial and In-House vs. Hosted SIEM
Consider which type of SIEM security solution is most suitable for your organization:
- Open source vs. commercial—Open source tools offer lower upfront costs but have higher ongoing maintenance costs and more limited capabilities.
- Build vs. buy—Some organizations are creating SIEM solutions using open source tools such as the ELK stack (Elasticsearch, Logstash and Kibana). This requires major investments to implement, maintain, tune, and integrate security content, because ELK is primarily a log management infrastructure and not a security system.
- In-house vs. managed—You can choose between four deployment models: (1) self-hosted and self-managed (the traditional model); (2) hosted on the cloud but managed by in-house security staff; (3) self-hosted but managed by a combination of in-house security staff and a managed security service provider (MSSP); (4) SIEM as a service in the cloud with local security management.
3. Evaluating Total Cost of Ownership (TCO)
A SIEM is a complex piece of security infrastructure that can be costly to procure and operate. Generally speaking, a SIEM involves the following budget items:
- CAPEX budget items—Licenses, development, training, hardware and storage.
- OPEX budget items—Security analysts to review SIEM alerts, IT maintenance, integration with new IT systems, and storage costs.
Here are a few tips for accurately estimating the TCO of a SIEM implementation:
- Licensing—Check the licensing model used by available SIEM solutions, typically licensed based on ingestion volumes or velocities. Some newer entrants to the market offer user-based pricing, which may put a cap on licensing costs.
- Hardware costs and sizing—Calculate the number of events per day, using an estimate of normal event load and peak event load. The event volume will determine the number and type of servers required to deploy the SIEM (for in-house deployments).
- Storage costs—Even in cloud or managed SIEM deployments, you will typically need to pay for storage as you scale up and pay extra for historic data retention.
- In-house analysts—The largest operating expense of a SIEM is analyst time. Determine if you have the skilled manpower to review and investigate SIEM alerts, and if not, consider outsourcing to an MSSP. More modern SIEMs, which include UEBA and SOAR technology, may have lower operating costs.
Example of a Next-Gen SIEM with Built-In UEBA and SOAR
Exabeam is a third-generation SIEM platform that is easy to implement and use. It includes advanced functionality per the revised Gartner SIEM model:
- Advanced Analytics and Forensic Analysis—Threat identification with behavioral analysis based on machine learning, dynamically grouping of peers and entities to identify suspicious individuals, and lateral movement detection.
- Data Exploration, Reporting and Retention—Unlimited log data retention with flat pricing, leveraging modern data lake technology, with context-aware log parsing that helps security analysts quickly find what they need.
- Threat Hunting—Empowering analysts to actively seek out threats using a point-and-click threat hunting interface, making it possible to build rules and queries using natural language with no SQL or NLP processing.
- Incident Response and SOC Automation—A centralized approach to incident response, gathering data from hundreds of tools and orchestrating a response to different types of incidents via security playbooks. Exabeam can automate investigations, containment, and mitigation workflows.
Figure 2: Exabeam’s malware playbook