What is a Security Information and Event Management (SIEM) System?
Security Information and Event Management (SIEM) is a blend of security information management and security event management. In that sense, SIEM solutions facilitate the gathering and analysis of activity across multiple components of an organization’s technology infrastructure by collecting and correlating logs.
Whereas SIEM solutions are comprised of rules, alerts, dashboards and reports, a successful SIEM installation must be founded on customized and adaptable content that conforms to an organization’s unique infrastructure environment.
To ensure robust alerting and correlation, SIEM systems collect event logs from multiple sources including servers, network access points, firewalls, intrusion detection systems, intrusion prevention systems and antivirus software. Logs are reviewed in real time.
When an event that may require action or further investigation is detected, the SIEM sends out notifications to system security administrators via email or SMS depending on the severity of the incident.
Specific features will vary from SIEM to SIEM but there are certain core capabilities that an effective SIEM must have.
Security Information and Event Management Features and Capabilities
While there are various features and capabilities of SIEM, below are four of the most important ones:
Malware in its various forms has troubled computing environments for decades. Fortunately, leading antivirus software are equipped with extensive event logging features that can be integrated with SIEM solutions for more effective and efficient incident response.
The logs can be correlated with other suspicious event indicators such as a flurry of unexpected requests sent to a malicious site that may be due to a successful phishing attack.
Network Intrusion Alerts
Network intrusion is one of the harder event types to respond to since network infrastructure can get quite complex with numerous interfaces that could potentially be penetrated by an intruder. Differentiating noise from noteworthy events isn’t always easy.
Intrusion attempts may either be pegged to a compromised internal endpoint or may be directly initiated from a remote source via a publicly facing interface. Effective incident response calls for the integration of signals from a broad range of network appliances and tools that inspect network traffic for malicious, suspicious or anomalous signatures.
SIEM goes further and correlates multiple events to identify an external threat that should be blocked by the firewall.
System Outage Alerts
Major system security incidents often attract media attention and rightfully so. However, this often overshadows operational outages. Operational outages are in fact not only much more frequent than security incidents but may have a bigger and more direct impact on the organization’s bottom line.
If a web server goes down for an hour, it may prevent tens, hundreds or thousands of customers from buying. Rapidly detecting and responding to these outages is essential. One of the most important SIEM benefits is the ability of the SIEM to alert system and security administrators when a node or application doesn’t relay any logs for e.g. fifteen minutes.
System Performance Tracking
Every organization has one or more systems that can be classified as mission-critical. The performance of mission-critical systems has an enormous impact on the realization of the organization’s overall objectives.
SIEM solutions can monitor the performance and utilization of memory, CPU, disk space and bandwidth to ensure optimal operation at all times. Consistently high utilization of resources (85 percent or higher) is a sign of problems ahead. SIEM alerts administrators to the need to upgrade network and server components.
What Are the Benefits of SIEM?
In addition to the features and capabilities of SIEM, below are seven important benefits to consider:
System security incidents are time sensitive. There is a world of difference between an ongoing incident discovered 5 minutes after it starts versus the same incident being detected an hour later. One of the key SIEM benefits is the drastic shortening of the time it takes to notice a threat thereby limiting the scale of any resulting damage.
Deep Reliable Comprehensive Reporting
The average large organization’s technology infrastructure comprises thousands of moving parts. Before SIEM, attempts at incident and event management proved inadequate because there was no centralized capture and retention of log data. SIEM makes this possible by bringing together logs from various enterprise systems thus providing a single bird’s eye view of the organization’s IT security.
Filter for Relevant Data
Collating and analyzing system logs is a key feature of SIEM. However, not every logged event is noteworthy from a security standpoint. In fact, most log entries will be harmless. Effective SIEM dissects through the noise and highlights events that fall within the threshold of a legitimate threat.
Often, security events are the result of a major change such as an upgrade made to an existing system or the replacement of a business application with a new one. SIEM provides granular change intelligence that detects both planned and unplanned changes to network, server and application configuration. This ensures that both operational and security outages can be tackled proactively.
Automated Log Collection Compliance
Compliance isn’t something organizations can afford to put on the back burner. Non-compliance may lead to lawsuits, lost revenue, loss of reputation, punitive fines and in the worst case, revocation of the business’ license.
SIEM solutions have simplified the process of maintaining and monitoring compliance with industry regulations and standards such as HIPAA, FISMA, SOX, GDPR, NERC and PCI. This saves you time and money.
Whereas there are overarching security regulations and standards that determine how organizations protect the data in their custody, each institution has to chart its own security policies and procedures in tandem with its unique circumstances and environment. SIEM streamlines and improves security policy validation and enforcement.
Case Ticketing and Management
Identifying security incidents is unhelpful if that isn’t followed by investigation, tracking, resolution and root-cause analysis. SIEM facilitates incident ticketing and management which makes it easier to not only drive problem resolution but also maintain a case record so that recurring problems are identified for deeper and more conclusive troubleshooting.
Benefits of Security Information and Event Management Systems for Developers
Security considerations will sometimes fall through the cracks during software development. Developers focus on getting the application to work and quickly delivering a functioning product to operations teams. Yet, ignoring security considerations at the development phase can have costly and potentially catastrophic consequences later.
SIEM automates the management of foundational security controls during the development phase thus laying the foundation for not just a working but also secure product from the get-go.
Common Problems with SIEM Implementation
The role of a SIEM is straightforward. Implementing a SIEM is not, however, as simple as it seems. Many organizations run into implementation difficulties with some eventually abandoning SIEM altogether out of frustration. Given that no two organizations have identical technology infrastructure, there’s no one-size-fits-all SIEM. Common implementation problems include:
Implementing a SIEM for a large organization is a complex process. The person(s) involved in the implementation are bound to be the foremost internal experts of SIEM. The danger is that implementation can become too dependent on one or more individual engineer’s memory. Were they to leave, ongoing maintenance and troubleshooting of the SIEM would be constrained.
For more sustainable results, implementation should follow a meticulously documented process and procedure that would be easy to follow if a new person or team took over the SIEM.
Compatibility with Outdated and Legacy Systems
SIEM solutions have come a long way. Invariably though, modern SIEM systems are built with modern applications in mind. Therefore, organizations that still run software that’s obsolete and no longer supported by their developers may have trouble ensuring that security incidents affecting them are accurately and comprehensively captured by the SIEM.
Lack of Regular Review and Adjustment
A SIEM solution is not something you install and configure then forget about for good. The technology environment is constantly changing. If the SIEM isn’t regularly reviewed and adjusted to keep up with these changes, it will be less and less effective. Eventually, its benefits will prove hard to quantify which could see it left unutilized and finally discarded.
Excessive False Positives
Since it’s impossible to predict every possible scenario, SIEM false positives are inevitable. The key is keeping false positives at a minimum. Poor configuration and customization can lead to the generation of an overwhelming number of false positives daily. This would make responding to each one impossible thus defeating the very purpose of the SIEM.
Why Does This Matter for your Company?
Acquiring and implementing a SIEM can inevitably eat into your company's money, time and other resources. But the benefits reaped from a SIEM can be drastic. As such, it’s crucial that you work with your SIEM to maximize the return on your investment.
Implementation challenges can limit the value your business derives from a SIEM system, so smart systematic implementation of the SIEM is very important. But your choice of a specific SIEM solution is also important, and must be in line with your organization's needs and goals.
How Micro Focus Can Help
By default, Micro Focus’ SIEM solution, ArcSight Enterprise Security Manager (ESM), provides streamlined prioritization and analysis of threats in order to quickly focus security administrators on the dangers that matter most. As one of the most established SIEMs in the market, and an early leader in the industry, ArcSight has years of expertise backing its content packages, response workflows, and professional support services. These reduce the amount of configuration work that goes into setting up Micro Focus ArcSight thereby helping minimize the common implementation problems we mentioned earlier.
As your organization grows and the threat landscape evolves, you must have effective cybersecurity risk mitigation mechanisms that provide deep visibility of your entire network. SIEM solutions enable you to identify threats and initiate the process of countering the threats as well as minimizing the impact.
Industry-leading SIEM systems such as Micro Focus ArcSight are powerful, scalable and efficient, using expertly-built content and effective response workflows to ease implementation and reduce the amount of manual work IT teams must do to get incident and event management right.