Security incident and event management (SIEM) products go a stage beyond security infrastructures comprised of a firewall, an intrusion prevention system (IPS) and endpoint protection. SIEM systems manage and make sense of security logs from all kinds of devices and carry out a range of functions including spotting threats, preventing breaches before they occur, detecting breaches, and providing forensic information to determine how a security incident occurred as well as its possible impact.

SIEM Moves to the Midmarket

In the past SIEM products were generally reserved for large enterprises, but they are now becoming accessible to medium-sized organizations as well, said Oliver Rochford, a research director at Gartner.

One reason that SIEM products were mostly used only by large enterprises is that you need one or two people to oversee them 24/7, and only large companies typically have these kinds of human resources. But medium-sized companies can either use a managed service or oversee a SIEM system during office hours and rely on a managed service to provide "out of hours" coverage, Rochford suggested.

Another reason that the appeal of SIEMs has broadened is that previously the main driver for adoption was compliance, an issue more likely to affect larger companies. While compliance is still an important factor, Rochford said threat management is now a bigger driver.

"Look at ransomware; that's a threat that midsized companies are very interested in detecting," he said. "Ransomware is typically very compact, and then it connects to a C&C (command and control) center. So you may be able to detect a phishing email that delivers it, or its communication, or indicators of a compromise like new processes starting. A SIEM will allow you to centralize and review this information and maybe detect the ransomware."

Key SIEM Product Features

SIEM products range from simplified products for midsize businesses to far more sophisticated affairs for the largest international enterprises. But they all have the same core functionality, and here are six key SIEM features to look for.

Ability to connect to existing systems that produce logs

"It is of key importance that as many of your log sources as possible are supported. That's because making your own connectors doesn't scale well," Rochford said. Clearly if you have your own custom apps you will have to make your own connectors for them, but ensuring that your commercial apps are supported could be the difference between a SIEM project succeeding and failing. If you use a wide variety of applications, you may need to look at a vendor such as Splunk, which is notable for the large number of applications from which it can ingest data.

Availability of threat intelligence feeds

Commercial and open source threat intelligence feeds are valuable, because research shows that their contents do not overlap to a high degree. Nonetheless, for simplicity or for financial reasons, many companies only make use of feed(s) included with the SIEM product or service they buy. For that reason, it is important to establish which feed(s) are included and which other commercial and open source feeds are compatible with the SIEM product. OpenIOC is a framework or standard that ensures SIEM compatibility with many feed sources.

Analytics

This is the bread and butter of SIEM products, and it involves tying together different occurrences reported in logs to spot the indications of a compromise. One example: a port scan followed by user access to certain types of data or user entity behavior that can indicate an internal threat. It is important that analytics functionality is presented in a way that you can use it effectively; this should be checked thoroughly before any purchasing decision.

Advanced profiling

This can be implemented in many ways, but in essence it establishes baseline or normal behavior for a number of characteristics on your network on which to carry out behavioral analytics. SIEMs traditionally do correlation analysis, but profiling allows you to spot deviations from the norm. "In many cases such a deviation indicates something bad, or at least suspicious activity," said Rochford.

Automation

The level of automation in SIEM products varies considerably and may include the automatic gathering of intelligence after an incident is detected and generating automatic notifications. However, the use of automated responses to detected threats is comparatively rare.

"There are still inhibitions about using automated responses because of worries about what it could do to a production environment, so it is primarily used by early adopters or by companies that want to adopt a very high security posture," Rochford said. "But I do think that automated responses are going to be necessary so its use will become more common."

Artificial intelligence/machine learning

AI and machine learning go hand-in-hand with automated response and the ability to react immediately to detected threats. But Rochford warns that AI is not a panacea that will solve all security problems. "The message is don't have too high expectations about artificial intelligence. It can certainly do some things that humans can't, but it can't do everything."

Leading SIEM Vendors

IBM

IBM QRadar Security Intelligence Platform provides a unified architecture for integrating security information and event management (SIEM), log management, anomaly detection, incident forensics, incident response, and configuration and vulnerability management.

Splunk

Although not specifically a SIEM product, Splunk can be used as a SIEM offering. Features include: real-time aggregation of security-relevant data; ability to add context to security events; incident investigations/forensics; security reporting and visualizations; real-time correlations and alerting for threat detection; advanced/unknown threat detection; and compliance reporting.

LogRhythm

LogRhythm's SIEM can be deployed in an appliance, software or virtual instance format and supports an "n-tier" scalable decentralized architecture composed of the Platform Manager, AI Engine, Data Processors, Data Indexers and Data Collectors. Consolidated all-in-one deployments are also possible. According to Gartner's 2016 Magic Quadrant for Security Information and Event Management SIEM report: "LogRhythm is an especially good fit for organizations that require integrated advanced threat monitoring capabilities in combination with SIEM. Those organizations with resource-restricted security teams requiring a high degree of automation and out-of-the-box content should also consider LogRhythm."

HPE

HPE's ArcSight SIEM solution is a comprehensive threat detection and compliance management platform with a flexible architecture, allowing organizations to scale out their existing deployments. Gartner adds that the platform is available in three different variations: the ArcSight Data Platform (ADP), providing log collection, management and reporting; ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments; and ArcSight Express, an appliance-based all-in-one offering that's designed for the midmarket, with preconfigured monitoring and reporting, as well as simplified data management.

Intel Security

Intel's SIEM solution brings event, threat and risk data together to provide security intelligence, rapid incident response, log management and compliance reporting. The core of the system is McAfee Enterprise Security Manager, which delivers actionable intelligence and real-time situational awareness required to identify, understand and respond to stealthy threats. An embedded compliance framework is designed to simplify compliance. Add-on modules include a correlation engine, an application data monitor, an event monitor, an event receiver, a log manager and a threat intelligence feed.

Other notable SIEM vendors include:

Dell EMC RSA

Micro Focus

Trustwave

AlienVault

SolarWinds

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.