What is SIEM? A Complete Guide to Security Information and Event Management

Posted:
11/30/2020
| By:
Jay Ryerse

There are a lot of cybersecurity products that companies can choose from, but which one is the most reliable and most cost efficient? To answer this question, you may need to know what threatens a company and what it takes to actually stop attacks. Once you understand these things, you will see why you need a SIEM solution.

What is a SIEM? 

SIEM stands for Security Information and Event Management, and is a system that is used to detect, prevent, and help resolve cyberattacks while centralizing security events from devices within your network. The first function of a SIEM is gathering all the raw security data from companies’ firewalls, wireless access points, servers, and personal devices. The SIEM doesn’t just log events but is customized to detect suspicious activity and recognize actual threats.

Fortinet, an industry-leading cybersecurity company that develops some of the best cybersecurity software, understands that threats differ depending on the type of threat and where they are coming from. With this foresight, they developed FortiSIEM, the software StratoZen uses, which has the ability to process hundreds of rules that we set up when we first start connecting to a network. With a centralized and customizable security system, attacks—whether they are coming from inside or outside the network—are recognized, isolated, and cut off before they become a serious problem.

To add more to what a SIEM is and what it can do, SIEMs can create daily graphs and reports that show the user exactly what’s going on. It filters through events and categorizes them by the severity of the threat. If the threat is not too serious but may carry some concern, a report is made; and if the event is critical, a notification is sent to the team immediately in order to diagnose the situation. When an audit or compliance check comes up, the SIEM will create any kind of report that is needed.

What is NOT a SIEM?

Let’s talk for a moment about what a SIEM is not. First, a SIEM is not just a log aggregation tool. It is very easy to just collect and store log files, however, this doesn’t give you any visibility into your security posture or help mitigate any threats. Be careful, many so-called “SIEM” providers out there are in fact just glorified log aggregators. Second, some people think that their IDS/IPS system does the same thing as a SIEM. Nope! An IDS is a single data feed that by itself is littered with false positives and erroneous information. A SIEM takes that information, cross correlates it with other systems data, other threat feeds and configuration information to determine if it really is a threat. Relying solely on an IDS system is like seeing one frame of a movie and thinking you have watched the entire thing.

Machine learning systems can be valuable but they do not replace the need for a SIEM. They are still a single device with a single view of the system and network. The value of a SIEM is in the cross-correlation of data from all devices including machine learning devices. In addition, some new ”magic appliances” must be installed in a very specific place on the network or use a network tap so that all the network flows go through the box. That’s fine, but all those traffic flows must be unencrypted in order for the appliance to understand anything. And in most networks today, a lot of traffic is encrypted. Citrix, VPN sessions, and a lot of other traffic is completely hidden from these devices. Not to mention most malware and other tools hackers commonly use have built-in encryption to bypass these systems. So while these are great solutions for specific needs, they absolutely do not eliminate or even reduce the need for a SIEM.

Why do enterprises need a SIEM solution?

Today’s cyberattacks are more advanced than ever before, and the old preventative tactics of simply using firewalls and antivirus software are outdated. Attacks are no longer stopped simply by edge devices blocking incoming attacks from the cloud, as attacks can come from inside your network. Malware is now attached in emails, banner ads, pseudo websites, etc., and can gain access to your network through an internal device. Intrusion detection and prevention systems (IDS/IPS) alone won’t be able to detect or prevent malware like this, which is why a SIEM is so essential. Additionally, SIEM solutions are able to aggregate data from across your entire network and analyze this data together to limit false positives. With a SIEM solution from StratoZen, you have a reliable product that will detect attacks inside and out, and that reports threats accurately without producing false positives.

With a SIEM, you can:

  • Eliminate blind spots by gathering all your security and event information into a single location
  • Detect suspicious behavior without getting bogged down in the mire of false positives
  • Accurately analyze and correlate problems before they become a breach
  • Gain holistic visibility through a SIEM which allows you to monitor and enforce corporate policies
  • Be compliant with regulatory requirements including PCI, HIPAA and FFIEC, which effectively mandate you to have a SIEM
How does SIEM work?

SIEM technology is by no means new; it’s been around since 2000. And over time, it’s become a fundamental tool for a Security Operations Center (SOC) to provide 24/7/365 monitoring and logging of security event alerts. SIEM helps security teams focus on identifying, analyzing, and responding to the threats and other alerts that matter most.

Today’s next-generation, cloud-based SIEMs make it easier for technology service providers (TSPs) to provide SIEM capabilities—including visibility—to their clients. When you work with a SOC using a modern SIEM solution, you can typically get full access to view your alert data. And your team can work right alongside the technicians in the SOC to identify and address critical issues as quickly as possible.

Let’s take a closer look at the functionalities and capabilities of a SIEM solution.

SIEM capabilities

The first, most basic function of any SIEM is to centralize all the security notifications from your various security technologies. Your firewalls, IDS/IPS systems, anti-virus console, wireless access points and Active Directory servers all generate tons of security alerts every day. With a SIEM, you can collect all of these in one place, with one set of reports and one centralized system for generating notifications. We usually refer to this as a “log aggregation” solution, and unfortunately, this is where many SIEM offerings stop.

The second main function of a SIEM is to provide logging and reporting for compliance purposes. For almost every compliance regulation, there are requirements to log user access, track system changes, and monitor adherence to corporate policies. A good SIEM solution makes these tasks MUCH easier by collecting this data from all your systems. Then, when it’s time for an audit or exam, you can SIEMply generate the appropriate compliance reports and send them to the appropriate people. Of course, your SIEM must have the needed compliance functionality and reports built-in to be effective, but many SIEM offerings don’t.

The third, and probably most important, function of a SIEM is automated cross-correlation and analysis of all the raw event logs from across your entire network. This is where a SIEM looks for hidden cybersecurity issues that would otherwise go unnoticed by combining data from several different sources. In order to perform this correlation and analysis, getting the security logs to the SIEM is certainly important. But security logs by themselves just aren’t enough. Let’s say your SIEM receives an alert from your IDS stating that it has detected a SQL injection attack against one of your servers. Scary, right? These are the types of alerts that you may get woken up in the middle of the night over. That is, assuming you have a sequel server! Otherwise, you’re just getting woken up for nothing! Many SIEM offerings don’t take into account what type of server you are running, which leads to a lot of false positives. And a lot of false positives make your SIEM effectively useless. See, a complete SIEM solution understands what the server is, what applications it’s running, and what configuration it has. This intelligent context helps prevent false positives, meaning you only get woken up when you need to take action.

In contrast, a true SIEM solution also gathers the full configuration, running applications, and other information from every device to add critical context to the events and notifications. This allows the SIEM to notice changes to critical devices such as routers and firewalls – generating notifications when unauthorized changes occur. A full SIEM solution also blends threat intelligence feeds, blacklists, and geolocation data to further increase the accuracy – ensuring notifications are actionable and dramatically reducing false positives. Because let’s face it. False positives mean no sleep. They mean frustration and added cost to your organization. Even worse, false positives mean missed notifications that leave your organization at risk!

5 Benefits of SIEM tools

Now that you have an understanding of what SIEM is and why you should be using one, let’s review five key benefits of using a SIEM solution.

  1. Sees the “whole picture” of a network
    A SIEM tool centralizes all of your security notifications in one place, so you get a big picture view of what’s going on at any given time, making it easier to take action and make informed decisions
  2. Detects events based on data input
    A SIEM solution pulls in data from several sources and can make correlations based on activity happening within those sources
  3. Provides some automatic response, depending on integrations
    An intelligent SIEM can make all of the difference in your security efforts; with automation and machine learning, a SIEM can provide an appropriate response to an event
  4. Offers massive detection capabilities
    Thanks to improved technology, including the adoption of the cloud, SIEM tools can store and detect more data than ever before
  5. Useful for analysis and compliance
    Compliance regulation requirements are aplenty, and the right SIEM can help you meet those compliance requirements and document them

Recommended