Introduction to SIEM (security information and event management)
Security information and event management (SIEM) is a software system that collects and aggregates data and events from various networking devices and resources across IT infrastructure. At present, the SIEM market value is around $4.2 billion and is expected to grow to $5.5 billion by 2025.
The term SIEM was first used in 2005 by Mark Nicolett and Amrit Williams. SIEM as a concept was proposed by them by combining the concept of security information management (SIM) and security event management (SEM).
Learn Network Security Fundamentals
How SIEM works
A typical SIEM collects and aggregates security data from various networking devices, servers, computers and domain controllers present within the ecosystem. The collected data is stored, aggregated and normalized on which the analytics are applied to detect threats, raise alerts and enable organizations to take suitable steps based on the alert raised.
Thus, SIEM plays a vital role and is an important part of the data security ecosystem since it detects abnormal behavior and traffic flowing in and out of the network. On the flip side, SIEM tools can be resource-consuming, expensive to implement and it is often difficult to remediate problems reported by SIEM.
SIEM use
Following are the main capabilities found in an SIEM:
- Threat detection
- Investigation
- Time to respond
Apart from the above features, other additional features which an SIEM provides are:
- Basic security monitoring
- Advanced threat detection
- Log collection
- Forensics and incident response
- Incident detection
- Notifications and alerts
- Threat response workflow
Top SIEM vendors
Following are the top SIEM available in the market widely used at the corporate level:
- Splunk
- IBM Qradar
- LogRhythm
- SolarWinds Security Event Manager
- Alienvault
- ArcSight
- Datadog
- McAfee ESM
- Securonix
- RSA Netwitness
9 SIEM best practices
Following are the best practices for SIEM implementation:
- Requirement: define monitoring and reporting requirements before deployment.
- Implementation: determine and define the system’s scopes, infrastructure audit targets and verbosity.
- Access control: monitor and log access to critical resources and check whether it's legitimate or not.
- Perimeter defenses: monitor, log and respond to threats, violations and activity and attacks on perimeter defenses.
- Resource integrity: monitor, log and respond to threats, backup processes, violations and vulnerabilities and attacks on network system resources integrity and availability.
- Intrusion detection: monitor, log and respond to incidents related to intrusion detection and system threats.
- Malware defense: monitor, log and respond to threats, violations and activities on malware controls.
- Application defenses: monitor, log and respond to threats, violations and activity about the web, database and more.
- Acceptable use: monitor and report on the key status and issues violations activity regarding the acceptable use of resources and information.
Next-generation SIEM
Next-generation SIEMs engulf automated incident response technology and are much more advanced and more refined than the formal ones. Next-generation SIEMs integrate with IT and other security tools/hardware and provide full security orchestration and automation (SOAR) capabilities.
Examples include:
- Authentication and access management: automatically disable user accounts and reset passwords on active directory
- Cloud infrastructure: disable accounts and stop or destroy instances on AWS/Microsoft Azure
- Email security: delete or quarantine emails, sending email on SMTP email servers and Microsoft Exchange
- Endpoint security: isolate devices from the network and delete and list files or active processes on Linux/Windows/Mac
- Firewalls: block or unblock IPs and domains on firewalls
- Forensics: automatically running virus scans, scanning files and quarantine suspected malware in sandboxes.
- Information technology service management (ITSM): create tickets, change ticket status, add comments to tickets, reassign tickets and close incidents on the ITSM system
Learn Network Security Fundamentals
Trends in SIEM
Following are the top trends impacting the SIEM market:
- The sophistication of cyberattacks and their exponential rise
- Strict security compliances and regulations imposed by governments
- Cloud-based services adoption among SMEs
Sources
SIEM architecture: technology, process and data, Exabeam
What is SIEM? A beginner’s guide, Varonis
Security information and event management market, Market and Markets