Whereas security information and event management (SIEM) is a term that many techies and non-techies alike have only recently started hearing of, it’s a relatively established area of IT that’s been around for a while. The term itself was coined in a 2005 Gartner Research paper but the concept of SIEM has been around longer, albeit without a single, universally-agreed upon definition.
To have a firm grasp of the SIEM definition, it’s important to first understand its two main components—security information management (SIM) and security event management (SEM). SIEM, SIM and SEM are erroneously used interchangeably when in fact they refer to different types of security systems.
What is SIM?
Security information management (SIM) refers to the collection of log files and storage in a central repository for later analysis. SIM is therefore also referred to as log management. SIM solutions are often agent-based with software running on the servers and computers being monitored. These relay log and other security-related information to a central SIM server. Here, system administrators can log into a console and run security reports, graphs and charts in real time.
Some SIM systems have local filters that normalize, interrogate and clean up logs before they send the information to the central server. This reduces the amount of data sent across the network (which could cause network bandwidth congestion) and stored on the SIM server (which could quickly gobble up disk space). Such filtering has to be done in a way that doesn’t inhibit the ability to recreate the system state that triggered a security incident.
What is SEM?
Security event management (SEM) is the identifying, gathering, monitoring, evaluating, correlating and monitoring of system events and alerts. In a sense, SEM is an improvement of SIM, though the two are seen as distinct areas of security management. Just like SIM, the data is usually relayed from the host computer to a central repository using SNMP, syslog and other communication protocols. The centralized repository ensures events and alerts are kept in a forensically sound and secure storage.
The information is then analyzed with security algorithms and statistical calculations to identify threats, vulnerabilities and risks. The SEM can parse entries for significance as they come in and immediately notify the responsible persons whenever an entry warrants attention. Centralization also makes it easier to pick up events that affect multiple systems. The primary purpose of a SEM tool is to identify alerts or events worth investigating such as administrator logons that occur outside working hours.
What is SIEM?
As the acronym suggests, security information and event management tools combine SIM and SEM capabilities. A SIEM collects, organizes and analyzes security-related activity from numerous hardware and software sources across an organization’s technology infrastructure.
A SIEM aggregates real-time and historical data from routers, switches, servers, desktop computers, antivirus software, firewalls, intrusion prevention/detection systems (IPS/IDS), enterprise applications, databases and more. It applies pre-defined analytical rules to the data in order to pick up threats, patterns and suspicious activity that call for a system administrator’s action or investigation.
While the primary purpose of a SIEM is security, many enterprises are using their SIEM to demonstrate to regulators and auditors their compliance with data protection laws and standards such as GDPR, HIPAA, PCI-DSS and SOX.
A SIEM can also come in handy for resource capacity management. You can keep track of data growth and bandwidth user over time and thereby proactively manage and budget for future capacity needs.
How Does a SIEM Work?
At its core, a SIEM tool is a data aggregation, search and reporting system. SIEM collects vast security data from the enterprise’s network, consolidates it, normalizes it for comparison and finally presents it in a form that’s easy to read and interpret for a human reader.
Initially, SIEM tools required painstaking manual management throughout the different phases of the data pipeline such as data location, data ingestion, policy application, notification review and anomaly analysis.
Increasingly though, SIEMs are leveraging the power of artificial intelligence and machine learning to become smarter and more incisive in pulling security data together from disparate enterprise systems and defining what incidents do require attention.
Here’s a closer look at the core functions of a SIEM.
This follows the agent-based approach of SIM software that involves the deployment of data collection agents on equipment and security systems, whether on-premises or in the cloud. Pre-processing may occur to ensure only meaningful data is forwarded to centralized storage for further analysis.
A SIEM stores event, alert and log information to a central server. Traditionally, this server has been on-premises. However, due to scalability demands, some SIEM tool have begun to support cloud storage thus ensuring near limitless possibilities for rapid capacity expansion.
Security Rules and Policies
Every enterprise must define security policies in line with its overarching security strategy and risk appetite. A SIEM allows system administrators to define a baseline that details what is considered ‘normal’ system behavior. On this foundation, thresholds and rules are defined that detail what must be flagged as a security incident.
A growing trend among newer SIEMs is to go beyond static configurations and employ the help of machine learning to create their own profile of normal system behavior and enable automatic detection of system anomalies and security issues.
Data Correlation and Consolidation
The primary purpose of a SIEM is to bring together disparate data so it can correlate events and logs across systems. For example, an error message on a router could be related to a rogue application on a file server. Multiple data points are therefore combined to create a complex understanding of security events. These are then delivered to system administrators via SIEM dashboards and notifications.
Choosing a SIEM Solution – What to Look For
Today’s enterprises are complex tech-dependent ecosystems running hundreds or thousands of devices and handling an ever-increasing flood of sensitive data. In this context, many businesses are turning to SIEM to stay on top of the security challenges. But all SIEM tools aren’t created equal. So how do you choose the right solution for your enterprise?
When choosing a SIEM, you must at minimum compare the different products as far as the following aspects are concerned. These aspects are in addition to the general considerations of technology acquisition such as pricing, availability of technical support, quality of customer service and the maturity of the product.
Different vendors will use different product licensing models. The two most widely used models are licensing based on number of monitoring devices and licensing based on the number of events captured per day and the size of the log file. Licensing models determine the true TCO (total cost of ownership) of a product.
Regardless of the licensing model the vendor of your SIEM of choice uses, ensure that you can easily and quickly move your subscription or configuration to a higher capacity plan when the need demands it. A SIEM should be able to expand to cater to future growth in both the number of activities monitored and the volume of SIEM server disk space used.
Since there’s no universal format for system events, alerts and logs, a SIEM should have the ability to read this security data from virtually every type of system conceivable so as to not limit your security visibility. At the least, it should be compatible with the logs and events of your existing technology infrastructure. It must also have the ability to normalize and parse data to extract the most pertinent insights. The vendor must be willing to facilitate a test in your production environment where you can prove the SIEM’s ability in this regard.
Event and Log Search
The number of aggregated alerts, events and logs for even a small or medium sized business can be enormous. With such volume of information, the ability to search across logs, devices and timeframes is essential. A SIEM should have the power to do this and even drilldown an event until you eventually get to the raw log data.
Remember, a SIEM is meant to trigger investigation and facilitate remedial action, so the ability to isolate the problem is vital.
Dashboard and Reporting
A SIEM should not only come with default dashboards and reporting modules but must also give the user the ability to customize their dashboards and reports to fit in with the organization’s unique circumstances. Dashboards should display event information in real-time and be intuitive enough for the administrator to use without a problem.
How Micro Focus ArcSight ESM Can Help
Micro Focus ArcSight Enterprise Security Manager is a powerful, mature, efficient and scalable SIEM that has a proven ability to reveal and tackle cybersecurity threats in real time. It can collect from over 450 source types and can correlate as many as 100,000 security events per second. Its distributed correlation architecture improves redundancy, bolsters availability and adapts to fast-evolving cyber risks.
While a SIEM isn’t a silver bullet that will magically resolve all of your organization’s security challenges, it can (when wielded, supported and staffed properly) provide an efficient mechanism for identifying and responding to security threats across your organization.
Security information and event management is a concept that has been around for a while and is well established. SIEM collects data and presents it in an easy to understand format for the human user to read. Choosing a SIEM requires comparing a few necessary features to see which SIEM will fit best with your organization’s needs, and one SIEM worth taking a serious look at is Micro Focus ArcSight ESM, with its market leading event collection and correlation capabilities to enable faster threat detection and response at scale.