Security Information & Event Management (SIEM) 101

The acronym SIEM stands for security information and event management. Typically, SIEM solutions come in software form.

If you're wondering what SIEM can do, look no further than the name. These products can assess your current security system and spot threats. If they find an issue, this same system can stop the problem before it worsens. 

SIEM tools are powerful, and in some industries, they're mandatory. It's almost impossible to look over every corner of a large system without a SIEM. And if a problem occurs, the event reporting you'll get from your SIEM can make your life easier. 

But if you run a small company with a tiny staff, the time and effort you expend in finding the right SIEM and installing it could be better spent elsewhere. 

Where do you fall on this spectrum? And what should you look for in a software partner? Let's dig a little deeper.

What Is SIEM? 

Gartner defines SIEM as a technology that can both detect and block security events, all while logging information for real-time or historical analysis. 

Here’s an example. Someone is copying thousands of files from your server. A SIEM could:

  • Identify. The program knows what routine file copying looks like, so this unusual behavior causes alarm. 
  • Log. The SIEM keeps track of the problem, when it started, and everything it will do next to make the issue stop. 
  • Alert. The system sends a notification to appropriate parties that something is happening. 
  • Direct. The system could block that individual user from copying files until the investigation is complete. 

SIEM tools were born from a combination of security event management (SEM) tools and security information management (SIM) solutions. Rather than buying two pieces of software to spot threats and address them, companies pushed for one program that could tackle both tasks. Reporting capabilities grew from legislation (such as the Payment Card Industry Data Security Standard), which required accurate logs. 

Modern SIEM tools lean on the power of machine learning. If the system can't understand what normal behavior looks like, programmers must supply the data, and that's time-consuming. Adding in machine learning allows the program to learn on the fly, and with each passing day, it grows more powerful and helpful. 

With this power comes a hefty price tag. A SIEM can be expensive to purchase, program, and maintain. For that reason, large organizations and public companies tend to be the largest consumers of SIEM solutions.

How Does SIEM Work? 

How can SIEM be a detective and an enforcer at the same time? Integration is critical. 

Your SIEM connects to all sorts of devices within your network, including:

  • Antivirus software 
  • Applications 
  • Databases 
  • Firewalls 
  • User terminals 

Each one of these points sends data into the SIEM. All of those bytes slide into a management console. Sometimes, the programs rely on humans to sift through all of the information and make sense of it. 

Close to 80 percent of IT professionals already consider their work stressful. Giving them yet another dashboard filled with hundreds of data points may not make them feel at ease. But a SIEM is a little different than a traditional security tool. 

SIEMs can also rate the danger of a specific trigger or alert. You could choose to watch only the issues the program thinks is critical, and you could analyze the other logs later. 

A full-service SIEM solution can handle these specific tasks:

  • Alert. A SIEM tells security professionals the exact moment it detects an issue. 
  • Collect. The program pulls information from multiple sources and places each data point in one place. 
  • Compare. A SIEM can look at what's happening now and compare it to programming, prior problems, or normal activity. 
  • Present. It presents data points in a consumable dashboard. 
  • Record. SIEMs collect data for compliance purposes. And they save the data in case a team needs to look back at the record later.

Every tool is different, and some offer functionality we didn't mention here. But this short list gives you an idea of what a SIEM is and what it can do.

SIEM Benefits & Limitations

Investing in a new security solution takes time. In most companies, several people are involved in every purchase decision. And if you're looking at a SIEM, you'll have dozens of vendors to choose from. Is it worth the effort?

SIEM benefits include:

  • Compliance reporting. About five years ago, many tech professionals started worrying about the number of standards and regulations they had to follow regarding security. Rules have exploded since then. A SIEM could make meeting all of those standards and documenting compliance easy. 
  • Pattern formation. It's hard to spot a hacker's scout. SIEM reporting and dashboards could help you visualize minor problems, when they're easier to solve. 
  • Increased security. All of the data a SIEM can give you can help you stop attackers in their tracks and protect your company’s critical resources.
  • Reputation management. If something goes wrong, you'll have dashboards and data to analyze. When you're called into a meeting to explain what happened, you'll have the answer. 
  • Crisis concerns. A SIEM can, in some cases, stop an attack even before you know something went wrong. 

SIEM drawbacks can include:

  • Cost. Powerful software comes with a big price tag. For some companies, this solution is simply too expensive to implement. 
  • Time. Humans must supervise SIEM solutions, and since they work around the clock, staff must be available too. 
  • Panic. SIEM solutions can flag up false-positive problems. 
  • Short shelf life. A traditional SIEM program has a shelf life of just 18 to 24 months. If you do want to invest in SIEM, you should keep an eye out for modern programs that can work for your organization for the long haul.

Ensure that your purchase team understands these pros and cons before you start the shopping process. You may decide that SIEM just isn't right for you, or you may be even more eager to get started. 

Common Attacks a SIEM Could Spot 

We've mentioned that SIEM can look over data and spot unusual or troublesome behavior. What exactly could a tool like this find?

SIEM solutions have been useful in spotting:

  • Brute force attacks. A hacker guessing a password thousands of times in minutes hasn't just forgotten a password. That person is attempting to force entry. A SIEM could identify those thousand attempts as erroneous. 
  • Stolen identity. A user logging in from an unusual country or strange time zone could be a hacker. A SIEM could spot that issue as cause for concern. 
  • Malware. When tied to your antivirus software, a SIEM could spot the moment a hacker deploys a malicious program. If the software doesn't remove it immediately, the SIEM could step in. 

In essence, programs like this understand what normal looks like. Then, they alert you whenever something unusual happens. The results can be amazing.

Is SIEM for You?

If you are shopping for SIEM, you have plenty of vendors to choose from. IBM, Intel, Trustwave, and others all sell products in this market. How can you make the right choice?

Ask each vendor about:

  • Integration. Will the software work with all of the programs, servers, and systems you have in place right now?
  • Programming. Does the tool use machine learning? Or must you help it understand what threats look like? 
  • Reporting and logs. What do typical dashboards and reports look like? Can the system spit out reports per your specific compliance landscape?

If you're not ready to shop just yet, it might be wise to wait for the next iteration of SIEM. Experts think newer programs will come with more automation, better machine learning capabilities, deeper collaboration, more integration, and better cloud functionality. If any of these attributes are critical for your business, waiting can be wise.

Get Critical Help With Okta 

Get insights into the threats you face and the solutions you need. Okta's solutions are intuitive and powerful, and they're remarkably easy to deploy too. Learn how we can help you detect threatsContact us to find out more about how to get started. 

References

Security Information and Event Management (SIEM). Gartner. 

Machine Learning Log Analysis Platforms—The New Wing Man to SIEM? (February 2020). SC Media.

Is IT Work Getting More Stressful, or Is It the Millennials? (May 2015). Computerworld. 

Awash in Regulations, Companies Struggle With Compliance. (August 2019). Forbes

An Evaluator's Guide to NextGen SIEM. (2019). SANS Institute.