What began as a tool for helping organizations achieve and maintain compliance, security information and event management (SIEM) rapidly evolved into an advanced threat detection practice. SIEM has empowered incident response and security operations centers (SOC) analysts as well as a myriad of other security teams to detect and respond to security incidents.
While there may be talk about SIEM joining the line of legacy technologies that are proclaimed "dead", SIEM has been a core system for many security teams, and in different capacities. Furthermore, SIEM (along with its evolution) has been intertwined with relevant threats in the ecosystem as well as the market in which it is used.
Systems and infrastructures that security professionals must secure in 2021 are vastly different from the systems in use when SIEM first came to the scene. But even if many have decided that SIEM is a thing of the past, its underlying principles and technology remain visible in many new systems such as SOAR, XDR, MDR and other solutions that integrate SIEM capabilities.
Vendors and reimaginations come and go, but SIEM prevails as a technology that should be recognized. There will always be a need for experienced individuals to work with SIEM and know how to apply it to the appropriate business touchpoints.
We've put together an overview of the history, definition, use cases as well as benefits and limitations of SIEM to provide a greater understanding of its continued usefulness in any security team's toolstack.
- What is SIEM?
- How does a SIEM solution work?
- Benefits of using SIEM
- Limitations and challenges of SIEM
- SIEM best practices
What is SIEM?
SIEM stands for security information and event management. It provides organizations with detection, analysis and response capabilities for dealing with security events. Initially evolving from log management, SIEM has now existed for over a decade and combines security event management (SEM) and security information management (SIM) to offer real-time monitoring and analysis of security events as well as logging of data.
SIEM solutions are basically a single system, a single point that offers teams full visibility into network activity and allows for timely threat response. It collects data from a wide range of sources: user devices, servers, network equipment and security controls such as antivirus, firewalls, IPSs and IDSs. That data is then analysed to find and alert analysts toward unusual behavior in mere seconds, letting them respond to internal and external threats as quickly as possible. SIEM also stores log data to provide a record of activities in a given IT environment, helping to maintain compliance with industry regulations.
In the past, SIEM platforms were mostly used by organizations to achieve and maintain compliance with industry-specific and regulatory requirements. What brought about its adoption across many organizations was the Payment Card Industry Data Security Standard (PCI DSS) and similar regulations (HIPAA). As advanced persistent threats (APTs) became a concern for other, smaller organizations, the adoption of SIEM has expanded to include a wide array of infrastructures.
Today's SIEM solutions have evolved to address the constantly shifting threat landscape, and is now one of the core technologies used in security operations centers (SOC). Advancements in the SIEM field are bringing forward solutions that unify detection, analysis and response; implement and correlate threat intelligence feeds to provide added intelligence to SOCs; and include or converge with user and entity behaviour analytics (UEBA) as well as security orchestration, automation and response (SOAR).
How does a SIEM solution work?
A SIEM solution works by collecting security event-related logs and data from various sources within a network. These include end-user devices, web, mail, proxy and other servers, network devices, security devices such as IDS and IPS, firewalls, antivirus solutions, cloud environments and assets, as well as all applications on devices. All of the data is collected and analyzed in a centralized location, in real time. Some solutions, as mentioned, integrate 3rd-party cyber threat intelligence feeds to correlate their internal data against known threat signatures and detect different types of attacks.
The aggregated data (users, event types, IP addresses, processes, etc.) is then analysed against a set of predetermined guidelines and behavior rules in order to detect deviations and quickly locate and mitigate potential threats. Once an unusual activity is detected it will cause the system to trigger an alert. And because security analysts are alerted immediately, they can take appropriate and timely action to mitigate threats before they cause more severe issues.
SIEM provides automated data collection, storing and analysis capabilities, which makes it a valuable tool for demonstrating compliance across the entire infrastructure. Some solutions can also generate compliance reports for relevant compliance regulations, detecting violations so they can be addressed appropriately, aiding organizations in meeting their compliance requirements.
Today's SIEM solutions have evolved to have varying capabilities and integrations with other technologies and solutions, but most of them have a few foundational capabilities in common.
- Log management: Log data collection and management is at the core of SIEM technology. Log data arrives at the SIEM in real-time, which then parses and aggregates data from various sources for further analysis.
- Visibility and real-time monitoring: SIEM solutions monitor and analyse network flows across the entire organization and provide insights into different assets to reveal potentially malicious behavior.
- Event detection: When logs and data are analyzed, they're correlated with predefined rules to detect known indicators of compromise (IoC).
- Threat intelligence: Event correlation is improved by incorporating open-source and commercial threat intelligence feeds in order to detect relevant threats and vulnerabilities.
- Analytics: All analytical features of SIEM solutions are not the same. Some modern solutions offer next-gen technology and the use of machine learning and AI in order to combat more sophisticated attacks. Some basic analytics include an interface for accessing different reports and dashboards as well as the ability to trigger alerts based on detected events.
- Event response and alerting: SIEM solutions offer organizations the ability to customize rules, upon which basis the system will prioritize, respond and alert of an event.
- Reporting: The compliance use case of SIEM remains an important one, especially today with the rising number of regulatory and industry compliance standards. SIEM solutions provide the means for auditing and reporting on incidents and storing security data that can be used for compliance coverage.
Benefits of using SIEM
Organizations, no matter how large or small, are implementing SIEM solutions for their many use cases and benefits. SIEM today is an essential step in monitoring and mitigating security risks in any IT environment. Some of the benefits of SIEM are:
External and insider threat prevention
Along with aggregating data from internal security controls and rules, SIEM also incorporates outside threat intelligence feeds to detect and mitigate many common and sophisticated threats in the current threat landscape. SIEM solutions have the capability to detect social engineering attacks in the form of phishing arriving via email, attackers using existing login credentials attempting to access organization's network, malicious code executed via compromised web page or an app, DDoS attacks, and unusual movement of data across the network that can signal data exfiltration by an APT.
And external threats aren't the only ones that put organizations at risk. Nor are they the only threats detected by a SIEM tool. Insider threats are among the most common and dangerous threats today, being responsible for around 22% of all security incidents. Attackers can compromise credentials of authorized users that have access to an organization's network and assets.
A SIEM tool monitors user activity, detects deviations from the normal baseline and generates alerts. Unusual user behaviors include a high volume of attempted logins in a short period of time, attempting to perform actions out of user limits, accessing areas not permitted, installing unapproved software and disabling controls.
Reduced response time
A SIEM solution gathers and aggregates log data from various sources, systems and controls. This gives it complete visibility over what happens in a network and the ability to detect attacks that might've been missed by one control but are detected by another as well as correlate data from those sources in case one part of it is, likewise, detected by one source and another part is detected by a different system.
Correlating data from different systems and even external sources, SIEM is able to rapidly detect and determine the details and specificity of a detected event and send alerts to notify security analysts, providing them with collected data and context so they can respond accordingly.
With the ever-expanding IT environment and growing shadow IT, visibility is one of the most crucial components of widely used security solutions, one of which is surely SIEM. We've mentioned that a SIEM solution collects data from various internal and external sources, hosts and security tools. This provides unparalleled visibility into event logs in a centralized manner and uniform format, so data can be more easily investigated. A SIEM tool actively monitors different solutions across the entire infrastructure, allowing organizations to identify potential vulnerabilities and threats.
Improved efficiency in an organization
Reduced incident response time and enhanced event log visibility come together to improve efficiency in understanding and managing events in an organization's IT environment. By improving visibility with a single, unified view into system data, SIEM allows organizations to drive the collaboration of different teams in responding to security incidents. Additionally, the single interface with data from all sources allows teams to track a threat through the network and identify affected hosts. Some SIEM solutions also offer automated procedures for responding to events by correlating and analysing data to stop threats when they're detected, by containing them to the compromised host, reducing further damage.
Achieving and maintaining compliance
Compliance is mentioned again—as it is one of the most common uses of SIEM. Solutions can be made up of a varying number of processes that simplify the maintenance and reporting of compliance, but each can be used for real-time auditing, spotting violations and generating compliance reports.
Limitations and challenges of SIEM
Despite the numerous benefits SIEM provides to organizations, all the talk about the "death of SIEM" isn't exactly unfounded. The technology does have some critical design limitations that present organizations with various challenges and the need for workarounds.
The first challenge of using a SIEM solution, and a growing one, is that it generates large volumes of alerts daily, many of which can be false positives. This takes time away from analysts' tasks, calling for them to investigate and possibly leading to alert fatigue.
Because SIEM solutions depend on predetermined rules in order to detect incidents, misconfigured SIEM can miss important security events, leaving the organization vulnerable to threats. Furthermore, SIEM solutions can be ineffective without the right third-party solutions to make up an organization's security controls. Firewalls and IDS/IPS solutions monitor network flow and security events while a SIEM tool uses log data from those solutions. Without them, a SIEM tool wouldn't be able to detect threats properly.
Working with SIEM to configure, analyze and integrate requires skilled analysis, meaning organizations can expect the need for larger staffing budgets. Not only is initial setup and configuration of SIEM a thing for professionals, it's a long and complex process that takes up most of the implementation time, with 90 days being the norm for getting a SIEM solution to work in a given environment.
Finally, using SIEM is an expensive endeavor. The initial investment in implementing a SIEM solution is substantial, as additional costs for managing, monitoring, supporting and licensing can add up. This makes the use of SIEM quite expensive for many organizations.
One important thing to consider is that these limitations are continuously worked on with newer versions of SIEM solutions from different vendors, who overcome them with added functions and capabilities. More or less, many of the challenges mentioned can be met by going with a modern, next-gen solution.
SIEM best practices
With all of its limitations, it's important for organizations to follow best practices before they invest in a SIEM solution and make sure they're doing the best they can to enjoy all of the benefits it offers.
Never skip initial planning
To overcome the limitations of SIEM and to make sure you're setting your organization up for success, careful planning before implementation is crucial. Some important questions to ask yourself are what function SIEM will have in your organization and what goals it should fulfill. It's also important to identify all compliance requirements, if that's one of the implementation goals. This can further inform the choice of a specific SIEM solution that will achieve exactly what your organization needs.
Support and maintain
A SIEM solution is not a "deploy and forget" type of solution. SIEM needs to be supported and maintained for appropriate adjustments to be made so it can adapt as your organization scales. New incident response plans and workflows should be documented and automation with ML/AI capabilities should be employed wherever possible to ensure quick intervention for security incidents.
Customize and tweak when necessary
Designing and applying predefined correlation rules across all systems and sources is a crucial step in having a SIEM system function properly. Establishing criteria for generating alerts and determining the actions SIEM should take when it suspects malicious activity is crucial for fine-tuning threat detection and reducing false positives. As time passes, SIEM should be further tweaked and customized to provide relevant insights into log data.
Hire the right people
SIEM is a fantastic solution for various security teams, most notably the SOC team, but it doesn't work the way it's supposed to without experienced and knowledgeable analysts implementing, maintaining and constantly fine-tuning the solution to make it truly efficient in the ever-changing threat landscape.
SIEM might be proclaimed as a traditional security solution that's getting squeezed out of the modern IT environment by more advanced technologies and solutions, but it still has and will continue to have its place. Rapid advancements in adding more capabilities to SIEM and integrating it with other solutions such as SOAR breathe new life into this familiar technology.
SIEM will continue empowering organizations with visibility over security events and improving their responses to potential threats, allowing them to stop security breaches before they reach catastrophic proportions in their network.