Security information and event management (SIEM) is the technology that can tie all your systems together and give you a comprehensive view of IT security.
IT security is typically a patchwork of technologies – firewalls, intrusion prevention, endpoint protection and the like – that work together to protect an organization's network and data from hackers and other threats. Tying all those disparate systems together is another challenge, however, and that's where SIEM can help.
What is SIEM?
A security information and event management, or SIEM solution (pronounced "SIM"), ingests log data from a wide range of network hardware and software systems and analyzes that data in real time. Its purpose is to correlate events and spot individual anomalies or patterns of behavior that may indicate a security breach – using intelligence feeds to ensure that it is aware of new threats as they emerge – and to present log data in a manageable and easily understood form so that it can be interpreted effectively by security staff.
SIEM tools are also used to collect log information from security and other systems to generate reports for compliance purposes. Security information and event management is sometimes also known as security event and information management.
Two related activities are SEM (security event management) and SIM (security information management). These are both subsets of SIEM. In general, SEM is concerned with real-time monitoring of logs and correlation of events, while SIM involves data retention and the later analysis and reporting on log data and security records. This is often carried out as part of a forensic analysis to establish how a security breach occurred, what systems and data may have been compromised, and what changes need to be made to prevent a similar breach. Most modern SIEMs can be used to carry out both SEM and SIM.
SIEM tools: key features to look for
SIEM is a very broad term, and SIEM tools from different vendors have different feature sets, strengths and weaknesses. But in general most SIEM tools will have variations of the following features:
- Ingestion and interpretation of logs
- Connection to updated threat intelligence feeds
- Correlation and analytics
- Advanced profiling
- Security alerts
- Data presentation
A key differentiator of SIEM tools is the number and variety of log sources that they can connect to out of the box for data aggregation purposes. Although it is usually possible to build a connector to an individual device or application, this can be costly and time consuming and therefore impractical for more than a handful of log sources. Certain vendors such as Splunk are notable for the large number of applications that they can ingest data from.
Many companies only make use of the feed(s) included with the SIEM product or service they buy, but commercial feeds from third parties and open source threat intelligence feeds are also available. These can be valuable because research shows that their contents do not overlap to a high degree, and the more information a SIEM has about security threats the more likely it is to detect them.
This is the bread and butter of SIEM technology, and it involves tying together different occurrences reported in logs to spot the indications of a compromise – for example, a port scan followed by user access to certain types of data, or user entity behavior that can indicate an internal threat.
All SIEMs carry out correlation and analysis, but advanced profiling is less common (although it is becoming increasingly prevalent). It works by establishing baseline or "normal" behavior for a number of characteristics on a network. It then carries out behavioral analytics to spot deviations from the norm.
Perhaps the most important feature of a SIEM tool is the ability to use the features described above to alert security staff as quickly as possible about possible security incidents. Alerts can be displayed on a centralized dashboard (see below) or provided in a number of other ways including via automated emails or text messages.
An important function of a SIEM system is to make the interpretation of data from multiple sources easier by presenting it in the form of easily comprehensible graphics on a security dashboard display.
SIEM technology is commonly used to collate events and logs and to generate compliance reports to meet specific compliance requirements, eliminating tedious, costly and time-consuming manual processes. Some offer integration with the Unified Compliance Framework, enabling a "collect once, comply with many" approach to compliance reports.
Tool trends and innovation
Not surprising in an area as critical as IT security, SIEM vendors continue to innovate. Here are some features that many vendors have already implemented or plan to:
The level of automation in SIEM tools today varies considerably. It may include basic automation such as generating automatic notifications when certain events are triggered or thresholds are passed, or more advanced functionality such as the automatic gathering of intelligence after an incident is detected. The most advanced form of automation involves triggering automated responses to threats that are detected.
Today this form of automation automated responses to detected threats is comparatively rare because of worries about the disruption that could be caused in a production environment if a false positive is triggered. For that reason, it tends only to be used by organizations that want to adopt the very highest security posture, but in the future it is likely that automated responses may become the norm when faced with sophisticated attacks from hackers using automated attack tools.
Artificial intelligence and machine learning:
AI and machine learning go hand in hand with automated response and the ability to react immediately to detected threats, and it is likely that they will become increasingly important features of SIEMs in the future. However, in the near term most SIEM systems will only use artificial intelligence and machine learning as a complement to human oversight rather than as a fully automated alternative to a human-managed system.
5 SIEM solutions on the market today
Today's SIEM tools monitor, detect, protect and much more. From real-time aggregation of security-relevant data to scalable and decentralized architectures, the following overview of security information and event management tools will help get you started with finding the right vendor for your needs.
1. IBM QRadar Security Intelligence Platform
IBM provides a unified architecture for integrating security information and event management (SIEM), log management, anomaly detection, incident forensics, incident response, and configuration and vulnerability management.
2. Splunk real-time aggregation
Although not specifically a SIEM product, Splunk can be used as a SIEM offering: real-time aggregation of security-relevant data; ability to add context to security events; incident investigations/forensics; security reporting and visualizations; real-time correlations and alerting for threat detection; advanced/unknown threat detection; and compliance reporting.
3. LogRhythm advanced threat monitoring capabilities
LogRhythm's SIEM can be deployed in an appliance, software or virtual instance format and supports an "n-tier" scalable decentralized architecture composed of the Platform Manager, AI Engine, Data Processors, Data Indexers and Data Collectors. Consolidated all-in-one deployments are also possible.
According to Gartner's 2016 SIEM Magic Quadrant report, "LogRhythm is an especially good fit for organizations that require integrated advanced threat monitoring capabilities in combination with SIEM. Those organizations with resource-restricted security teams requiring a high degree of automation and out-of-the-box content should also consider LogRhythm."
4. HPE's ArcSight threat detection and compliance platform
HPE's ArcSight SIEM solution is a comprehensive threat detection and compliance management platform with a flexible architecture that allows organizations to scale out their existing deployments. Gartner adds that the platform is available in three different variations: the ArcSight Data Platform (ADP), providing log collection, management and reporting; ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments; and ArcSight Express, an appliance-based all-in-one offering that's designed for the midmarket, with preconfigured monitoring and reporting and simplified data management.
5. Intel/McAfee's SIEM solution
Intel/McAfee's SIEM solution brings event, threat, and risk data together to provide security intelligence, rapid incident response, log management, and compliance reporting. The core of the system is McAfee Enterprise Security Manager, which delivers actionable intelligence and real-time situational awareness required to identify, understand, and respond to stealthy threats. An embedded compliance framework is designed to simplify compliance. Add-on modules include a correlation engine, an application data monitor, and event monitor, an event receiver, a log manager, and a threat intelligence feed.
Other SIEM vendors include: Dell EMC RSA, Micro Focus, Trustwave, AlienVault and SolarWinds.