SIEM Explained: What is SIEM and How Does it Work?

Security information and event management (SIEM) technology provides foundational support for threat detection. The high costs of SIEMs once made them feasible only for larger enterprise clients, but they have become more reasonable solutions for smaller organizations over time.

While a properly configured SIEM can provide effective threat protection, misuse of SIEM technology can increase costs and undermine security. To understand if SIEM technology fits your organization’s needs, you should understand what a SIEM is, how to use it, and how to avoid some of its common pitfalls.

See our in-depth look at the top SIEM tools

What is a SIEM?

Gartner first coined the term SIEM in 2005 to combine the technologies of security event management (SEM) and security information management (SIM). SIEM technology was designed to collect, analyze, and store log files generated by endpoints (typically PCs). If the SIEM analysis detected malware or malicious activity, it could generate alerts for a security engineer or security operations center (SOC) to investigate.

Modern SIEM technologies have expanded this original scope in many directions. The log files collected will now typically include data center servers, cloud resources, networking equipment, and even devices that fit into the Internet of Things (IoT) or operational technology (OT) categories.

SIEM tools now also offer features that can automatically respond to threats instead of waiting for a security technician to review the alerts. Advanced SIEM tools also incorporate artificial intelligence (AI) and machine learning (ML) algorithms to analyze logs and trends to proactively identify new alerts and new threats.

In an ideal deployment, SIEMs leverage computers to quickly analyze devices; rapidly detect threats; and enable the computers or humans managing security responses to develop or utilize automated security responses, improved investigation resources, or robust reporting capabilities.

How to Use a SIEM

SIEM technologies empower an existing security program, so an IT team cannot deploy a SIEM and expect security responses to magically take place.

Even highly automated SIEM tools require intelligent log file collection, proper configuration, and expert review of results. Fortunately, many consultants and outsourcing experts are available to help those without the internal resources for SIEM setup.

However, even for those intending to make use of extensive outsourcing, a basic understanding of the SIEM technology will help to make sure the chosen vendor is doing their job well. The basics apply to all SIEM technology:

  • Log File Collection: Log files need to be enabled on all devices we intend to monitor and we will need to make sure those log files can be delivered accurately and intact to the SIEM.
  • SIEM Configuration: The SIEM may be installed on servers in local data centers, in containers, within cloud resources, or delivered as a service. In all cases, the configuration of the SIEM determines if the logs will be ingested, analyzed, and stored correctly.
  • Expert Review: Even with highly automated SIEM technology, an expert needs to oversee the potentially hundreds and thousands of logs, alerts, and responses generated by servers and endpoints to verify that no malware is being missed and that false alarms do not significantly impact business operations.

For a more thorough overview, check out our SIEM checklist.

Common SIEM Pitfalls and How to Avoid Them

Our SIEM checklist covers a number of potential issues, but we will highlight the most critical issues here relating to pitfalls that could undermine the most carefully established SIEM deployment.

In deployment, garbage in, garbage out and alert fatigue represent the most critical issues. These issues will undermine powerful AI engines and cause a security team to miss attacks.

Garbage in, garbage out

Garbage in, garbage out pertains to the quality of the log files. During implementation, IT teams must investigate the devices generating log files and the log files themselves very carefully to verify their quality. If log files are generated from infected endpoints, there is a risk in establishing a corrupted device as a baseline and future alerts are jeopardized.

However, if the correct or sufficient log files are not collected, the SIEM will not have the data necessary to generate alerts or to properly analyze the health of the IT environment. Sending garbage to a SIEM will only result in more garbage in the form of bad analysis.

Alert fatigue

Alert fatigue develops when alerts are triggered too easily by everyday events in the IT environment. Too many false alarms can make a security team unable to see the real problems lost in the noise. The number of devices, the number of alerts, and the type of issues generating alerts may need to be adjusted to avoid alert fatigue.

Penetration testing is one way security teams can reduce unnecessary alerts and check for missing alerts. By intentionally performing activity designed to trigger alerts, security teams and SIEM managers can verify that the most likely attacks will be properly alerted and countered.

Beyond the initial setup, it is important to verify that there are sufficient supporting resources for the SIEM. Alert fatigue may be caused by perfectly reasonable alerts delivered to a short-staffed and overworked security team. Reducing alert fatigue can be as simple as right-sizing a security team, so legitimate alerts will not be overlooked by exhausted personnel.

Insufficient file storage

When developing a SIEM strategy, be sure to consider storage needs for log files. Some popular SIEM solutions charge by the amount of data processed and stored by their system, and some data centers may have limited internal storage for log files.

While it may be tempting to cut costs in terms of storage, in the event of an attack, investigators may need an extensive number of logs over an extended period of time to track an attacker’s activities and identify the original entry points. Arbitrary limits on storage for log files could leave an investigation without sufficient information or with increased investigation costs.

Fortunately, modern technology offers many possible solutions for storage. Different SIEM solutions can offer different pricing options, outsourcing can offer discounted rates, and cloud storage resources can be cheap to expand. For those looking to implement or expand a SIEM, be sure to consider future growth, current resources, and SIEM capabilities.

Choose Your SIEM Carefully

SIEMs hold enormous potential to turbo-charge security for organizations of many sizes. However, the SIEM solution needs to be selected in the context of organization needs and resources. Companies need to frankly consider their capabilities to avoid undermining their security teams with too many alerts, bad alerts, and misaligned infrastructure.

Read next: Managed SIEM: A Faster Way to Great Security

Chad Kime
Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Top Products

Related articles