Security Incident and Event Management (SIEM—pronounced as SIM or SEEM) is a security management approach, which combines functions of Security Information Management (SIM) and Security Event Management (SEM) to define a sound security management system. While SIM focuses on automating the collection of log data, events, and flows from security devices on a network, SEM is all about real-time monitoring and alerts. These make SIEM as a blend of real-time collection and analysis of security alerts and correlation of events to deduce it to detect incidents and malicious patterns of behaviors. Some researchers consider SIEM as “SIEOM,” where “O” stands for “opportunity.” The simple reason behind it is that SIEM offers reports and alerts that brings opportunity for security professionals to improve the security of their system.
SIEM, when successfully implemented, helps organizations with its following functions:
- Reveals potential known and unknown threats
- Monitors the activities of authorized users and their privileged access to various resources
- Compiles a regular report
- Backs up incident response (IR)
- Simplified understanding and working of SIEM
For all IT professionals, SIEM makes your work easier by collecting log data and security incidents from various parts of the system. A log is a record left behind by each activity performed by the application or the operating system. For instance, open the browser—log 1; create a folder—log 2; create a new file—log 3, and so on.
With various security devices and technologies (such as firewall, intrusion detection system (IDS)/intrusion prevention system (IPS), antivirus, and many others) working simultaneously to keep thousands of logs on a per second basis, stored in different locations; it is highly impossible to monitor and analyze these logs, manually. So, the solution is to have a centrally organized system that can collect logs from several different security systems and can perform real-time monitoring and analyze them. Its ability to correlate security events from various defense systems is what makes it different from a mere log aggregation system. After connecting events, it looks for abnormal changes in the system that can give a clear picture of potential cybersecurity issues across the entire network.
It’s the SIEM solutions that generate a report to display the changes that occurred in logs over a specific time to strengthen the security solutions of a firm.
Incident vs Event
Generic Architecture of SIEM
As already mentioned in the earlier section that SIEM gathers logs from various devices, the sources of these logs are divided into four categories:
- Security devices
- Network devices
For each of these devices, a separate collector is assigned to collect their logs. These logged data are first normalized then forwarded to the central engine. Central engine is one of the significant components of the SIEM system, which is responsible for analyzing and correlating various security events. Now finally, as per the retention policy of the organization, the normalized data are then stored in a centralized database. For better understanding, take a look at the following flow diagram:
Components and Capabilities of SIEM
Even with all the required preventive security measures, it is highly impossible to build a 100% reliable defense system for your firm’s security network. There is a fair opportunity for malware and malicious cyber threats to crawl in your fortified security system. In such a case, having another system with threat intelligence capabilities will help you to detect these attacks quickly. This will eliminate the chances of a malicious attack to survive for days and months without getting noticed by concerned professionals.
Here, we have covered 12 significant components and capabilities of the SIEM:
1. Data Aggregation
In the context of SIEM, data aggregation is the process of gathering data from numerous organizational systems (security systems and network devices). Each device compiles a log file containing all the activities of the device; these activities are referred to as events. For data aggregation, SIEM can use one of the provided ways:
- With the help of an agent installed on the device—this is the most commonly used method
- Direct connection with the device—this can be done by using a network protocol or API call
- Using storage for accessing log files—generally XML native format interfaced with Syslog or others
- With the help of an event streaming protocol—the most common example is SNMP
2. Threat Intelligence Feeds
Under this, your SIEM system will have a combined data of internal logs and third-party artifacts, which is primarily focused on learning from your firm’s access on how to improve your existing threat awareness and response system. This component is usually focusing on only one area of interest and delivers the report online.
3. Correlation between Events and Monitoring
The event correlation is an essential part of SIEM. It makes it possible to detect threats and abnormal pattern of activities that can go unnoticed and eventually lead to compromised data. It first collects data related to security from various network devices, security devices, servers, and applications. Then it would go ahead with the research of your firm’s security environment. On the basis of the gained information, it will then draft correlation rules to identify malicious threats.
As deploying the SIEM solutions are quite challenging, that is why most organizations are looking for machine learning as one of the features in the security analytics of SIEM solutions. Technologies, such as machine learning and statistical models, are used under security analytics to build a deeper connection between various data elements.
This capability of the SIEM solutions is responsible for the automated analysis of events, which sends alerts to the concerned security team for notifying them about the immediate issues. These events can be set up on various data points, such as during data aggregation phase or the event correlation phase. The real-time working of this capability can eliminate the threat as quickly as possible.
Dashboards offer tools to convert event data into charts based on the data that are not by the regular patterns. This helps the security team to identify trends and anomalies with the help of an informational visualization of the processed data.
SIEM can generate reports that comply with standards, such as HIPAA, PCI/DSS, HITECH, SOX, and GDPR. It merely states that the gathering of the compliance data can be automated with the help of applications. This data can then be used to generate reports that will be adaptable by the existing security system, governance, and auditing processes.
8. Log Retention
Large-scale organizations generate a high volume of logs every day. In such a case, industry standards, such as PCI DSS, HIPAA, and SOX, demand these logs to be retained within a period of 1–7 years. Though storing historical logs for long-term is generally used in compliance and forensic purposes. SIEM ensures that which logs can be retained for further use. To reduce the high-volume storage of these logs, SIEM uses the following strategies:
- Syslog servers—normalizes logs to retain only required data in a standardized format
- Deletion schedules—Old logs get eliminated, which are no longer needed for the compliance purpose
- Log filtering—Required logs are filtered based on their source system or any other rules as defined by the SIEM administrator
- Summarization—Summarization of logged data to manage only the data that are essential for compliance and forensics (eg: distinct IPs, event counts, etc.)
9. Forensic Analysis
The forensic analysis uses logs and event data to investigate a security incident. It is the process of in-depth analysis of the stored data to discover the details to reconstruct the entire incident. This complete process helps in finding the source of the incident, its scope, and a lot more.
10. Threat Hunting
For uncovering threats, the concerned team members have the authorization to run queries on the logs and event data. Automated security workflows can accelerate this process to reveal malicious threats and to make them stop from damaging the network or systems.
11. Incident Response
The data collected through SIEM helps IR team to identify the attack and respond to them as quickly as possible. Without the logs and event data, the IR team will need extra time to evaluate the data that are efficiently done by SIEM.
12. SOC Automation
With the help of advanced SIEMs, it is now possible to automate the IR. But for this, it is required that the security systems are orchestrated, which is, in general, termed as Security Orchestration, Automation and Response.
SIEM has evolved over the years. Earlier, SIEMs were expensive with custom hardware to manage a high volume of data. It also required specialized software. But now, it is transforming in a way to become more agile and lightweight. With today’s smarter SIEMs, opportunities to deal with cyber threats have increased enormously.