What is it?
SIEM (Security Information and Event Management) software centrally collects, stores, and analyses logs from perimeter to end user. It monitors for security threats in real time for quick attack detection, containment, and response with holistic security reporting and compliance management.
SIEM technology has been in existence for more than a decade, initially evolving from the log management discipline. It combined security event management (SEM) – which analyses log and event data in real-time to provide threat monitoring, event correlation and incident response by using process of Threat Modelling – with security information management (SIM) which collects, analyses and reports on log data.
When an attack occurs in a network using SIEM, the software provides insight into all the IT components (gateways, servers, firewalls, and so on). See reference below:
Note : Antivirus and Anti-Spyware act at End User /Desktops and Server level not at Perimeter level( please do change diagram below.
What are the Features?
SIEM is implemented via software, systems, appliances, or some combination of these items. There are, generally speaking, six main attributes of a SIEM system:
- Retention: Storing data for long periods so that decisions can be made off more complete data sets.
- Dashboards: Used to analyse (and visualize) data to recognize patterns or target activity or data that does not fit into a normal pattern.
- Correlation: Sorts data into packets that are meaningful, similar and share common traits. The goal is to turn data into useful information.
- Alerting: When data is gathered or identified that trigger certain responses – such as alerts or potential Cyber security problems – SIEM tools can activate certain protocols to alert users, like notifications sent to the dashboard, an automated email or text message.
- Data Aggregation: Data can be gathered from any number of sites once SIEM is introduced, including servers, networks, databases, software and email systems. The aggregator also serves as a consolidating resource before data is sent to be correlated or retained.
- Compliance: Protocols in a SIEM can be established that automatically collect data necessary for compliance with company, organizational or government policies.
How does it work?
SIEM solution collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus and various other security solutions.
The Solution then identifies and categorizes incidents and events, as well as analyses them. The software delivers on two main objectives, which are to
- Provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities.
- Send alerts if analysis shows that an activity runs against pre-determined(Out of box & Custom) rulesets and thus indicates a potential security issue.
Indeed, technology research firm Gartner in its May 2017 report on the worldwide SIEM market calls out the intelligence in SIEM tools, saying “innovation in the SIEM market is moving at an exciting pace to create a better threat detection tool.”
The Gartner report further notes that vendors are introducing machine learning, advanced statistical analysis and other analytic methods to their products, while some also are experimenting with artificial intelligence and deep learning capabilities using SOAR and Cyber security incident management Paybooks.
According to Gartner, vendors market such advances as capabilities that can provide more accurate detection rates at a faster pace. However, Gartner points out that enterprises aren’t yet clear on whether, or by how much, these capabilities yield new returns to the organization.
How does it help our compliance? – SIEM and PCI DSS compliance
SIEM tools can help an organization become PCI DSS compliant. This security standard reassures a company’s customers that their credit card and payment data will remain safe from theft or misuse.
A SIEM can meet the following PCI DSS requirements:
- Unauthorized network connection detection– PCI DSS compliant organizations need a system that detects all unauthorized network connections to/from an organization’s IT assets. A SIEM solution can be used as such a system.
- Searching for insecure protocols– A SIEM can document and justify the use of an organization’s permitted services, protocols and ports, as well as document security features implemented for insecure protocols.
- Inspect traffic flows across DMZ– PCI compliant organizations need to implement a DMZ that manages connections between untrusted networks (e.g., the internet) and a web server. Additionally, inbound internet traffic to IPs within the DMZ need to be limited while outgoing traffic dealing with cardholder details must be evaluated.
SIEM solutions can meet these requirements by inspecting traffic that flows across the DMZ to and from internal systems, and by reporting on security issues.
Is it for me?
SIEM software is mostly used by large organizations and public companies, where compliance to regulations remains a strong factor in the use of this technology, according to analysts. Some small and mid-size businesses have SIEM delivered using MSSP(Manage Security Services Provider) as services using SIEM solution on premise/Remote location at MSSP and preform remote monitoring .
Currently, large enterprise users tend to always run SIEM solution on-premises, due to the sensitivity of some of the data going through the system. “You’re logging sensitive things, and that’s not something that people have a lot of appetite for sending over the internet,” says John Hubbard, lead analyst for GlaxoSmithKline’s U.S. Security Operations Center.
However, as machine learning and artificial intelligence capabilities within SIEM products increases, some analysts expect SIEM vendors will offer a hybrid option, with some of the analytics running in the cloud.
Most companies continue to use SIEM Solution primarily for tracking and investigating what’s happened. Many companies now are moving beyond being reactive and are increasingly using the technology for detection and near real-time response.
The game now is: How fast can you detect?” he says, adding that the evolving machine learning capabilities are helping SIEM systems to more accurately identify unusual and potentially malicious activity.
Security leaders need to take into account numerous other factors – such as whether they can support a particular tool, how much data they’ll have within the system, and how much they want to spend. SIEM experts are very expensive to hire and companies tend to source it through vendors or IT services. Most IT services provide SIEM as Security -as-a-service and bear the cost of training the human capital on the same.
Get you SIEM in place while you focus on your core business and operational efficiency. Write to us at firstname.lastname@example.org to have a quick chat with our Cybersecurity experts.