Whats a SIEM?

November 1, 2022 Ioannis (Yannis) A. Bouhras 0 Comments

SIEM Definition

The SIEM acronym stands for security information and event management, a type of cybersecurity solution that collects and converges data from different parts of your IT environment for the intent of security monitoring.

SIEMs refer to centralized log management tools that integrate with your different applications, systems, servers, etc. to take in data from each service.

SIEMs are used for real-time security event analysis to help with investigation, early threat detection and incident response. They also support compliance use cases, as many data regulatory frameworks require organizations to keep audit logs for up to one year. Not every SIEM is built the same, however. Many SIEMs may not do threat analysis, detection or response without fine-tuning and ongoing detection rule management.

Why SIEM?

While all operating systems have log repositories, they are stored on the host from where they originated. In the event you are compromised, this can leave logs exposed, since you can no longer trust the host.

The solution to this problem is to collect and aggregate logs in a central location, separate from the host that created them. As a result, in the event of a compromise or hardware failure or internal threat, your logs are still intact and in tamper-free state.

What Are The Benefits of SIEM?

There are a variety of benefits to running a SIEM solution:

  • Advanced Visibility – Aggregating all of your logs across your on-premises and cloud-based applications, servers, databases, and more to gain deeper insights into your users, endpoints, traffic, activity, etc. enables you to maintain oversight into your network and beyond the perimeter as your company scales.
  • Data Normalization – All of the different technology across your environment generates a ton of data in many different formats. While not every SIEM solution will collect, parse and normalize your data automatically, many do offer ongoing parsing to support multiple data types. This enables you to easily correlate data for threat analysis and investigation.
  • Log Correlation – In addition to collecting logs, a SIEM can correlate them for analysis. This enables the creation of security alerts, trends and reports. Logs that span multiple hosts provide much richer context to help you derive security events. An organization can correlate events like suspicious DNS activity; unusual port activity on routers and firewalls; endpoint or antivirus threats; etc. to detect a potential attack.
  • Threat Detection – Correlation and analysis leads to threat detection and alerting. Once a SIEM is properly configured and tuned to fit your environment, you can surface indicators of a compromise or threats that can lead to a breach. Some SIEMs come preconfigured with a default set of alert rules. It’s important to find the right balance of false positives and false negatives to reduce the noise of alerts that impact your team so they know when to take action for remediation.
  • Help Meet Compliance – Many compliance regulations spanning different industries, such as HIPAA, CMMC, NIST, FFIEC, PCI DSS, etc. require organizations to collect and keep a history of audit logs for a certain period of time, detect and respond to threats, as well as produce regular security reports for auditors.

Everything

This stems from the point of view that what is required is not known until it is needed; thus storing everything, searching and filtering later is adopted. While this provides access to all the possible data that may be required, it also provides more of a challenge when it comes to storage, indexing, and, in some cases, transmitting the data. If a commercial solution is used, licensing may also depend on volume (greater volume equals greater costs).

Only What You Need

Technology resources are consumed way less in this scenario, but there is a risk that something will be missed. When beginning with a new log collection and correlation system, it is best to start slowly with what is needed and then build upon it.

In reality, the answer to what to log is probably driven mostly by costs. If this is the case, it is best to prioritize consuming logs more aggressively from high-value, high-risk systems, and those facing external networks.

It is recommended to begin with systems that are already delivering security logs such as IPS/IDS (intrusion prevention and detection systems) and endpoint protection. After processes and procedures have been defined and followed, other logs such as Windows, DNS, honeypots, applications, and database can be added for a deeper look into the infrastructure.

Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *