What is SIEM (Security Information and Event Management)?

---

Security Information and Event Management facilitates log management, threat analysis and data correlation.

What is SIEM?

Security Information and Event Management—or SIEM—is a key component in the security stack of many organizations. Actually a solution that combines what were once two separate software solutions (security event management and security information management), SIEM aggregates data from a number of sources, such as networks, cloud environments, endpoints, and servers, and may deploy machine learning and artificial intelligence to search for indicators of vulnerabilities or active threats. When anomalous behavior is detected, a SIEM generates automatic alerts that can greatly reduce a security team’s mean time to detection (MTTD) and mean time to response (MTTR).

In addition to aiding real-time threat hunting and response, the SIEM provides a centralized data repository that security teams can use to undertake behavioral or forensic analysis. Unlike many security tools, SIEM has a non-security use case related to compliance: It can generate reports and audit trails required by many types of industry regulations.

This article will outline how a SIEM works and how it augments other security tools that help security teams monitor and defend networks, endpoints, and other parts of the enterprise.

         

How does a SIEM solution work?

SIEM solutions start by collecting and storing enormous amounts of data, mostly in the form of logs and network data.

Logs are comprehensive files that help administrators determine the timing and nature of specific actions, or events, that occurred within an operating system, application, cloud, or other type of environment. They can detail anything from sign on/off requests, error reports, file requests or transfers, or many other types of events.

Network data contains source, destination, port numbers, timestamps and other metadata generated by network traffic. Network data can come in the form of Zeek logs, network flow data, firewall logs, load balancer logs, cloud logs, intrusion detection systems, packet captures, and more. While system and application logs provide a comprehensive record of specific events or activities, network data provides a broader picture of the patterns of behavior. Together, they create a solid data foundation, which SIEM tools then aggregate and index in a standardized format within a data store.

Security teams can set conditions or rules that direct the SIEM’s automated system to identify certain signatures, patterns or conditions that are associated with known attack vectors or aligned with the enterprise’s security requirements. Whenever the system discovers a match, SIEM generates an alert that can take the form of a dashboard display, email, or other notification for the security team.

         

What are the benefits of a SIEM?

The aggregation of data streams provides visibility depth into specific incidents and broad traffic patterns, and it can give defenders a comprehensive view of the organization. By aggregating disparate data sets in a centralized location, the security team can spend less time toggling between different security tools and benefit from the data correlation during response, remediation, and post-even analysis. Security Information and Event Management data repositories can be updated regularly to help the security team stay up to date with emerging threats and known attack signatures.

Additionally, the SIEM’s data aggregation function helps many organizations with regulatory compliance. Its automated functions can pull relevant compliance data from multiple sources, and many solutions can generate reports that can help the enterprise stay within guidelines prescribed by HIPAA, GDPR, payment security standards, and many others.

         

What are some limitations of a SIEM?

The sheer amount of data that the SIEM collects can be difficult to categorize, prioritize, and put in context. If filtering rules have not been tuned properly, a SIEM can generate excessive network noise, which can result in a high number of false positives or more confusion than insights for the security team. SIEM solutions can also be expensive to buy, implement, and maintain which leads some security teams to question their overall value.

         

SIEM vs. SOAR, UEBA, and XDR

As Security Information and Event Management has matured, other technologies have been proposed to augment its capacity, or even replace it. These include Security Orchestration, Automation and Response (SOAR); User and Entity Behavior Analytics (UEBA) and Extended Detection and Response (XDR).

• SOAR. Like a SIEM, this tool aggregates data, and it often is marketed as a time-saver and as a means to reduce human effort and error thanks to advanced automation capabilities. It also leverages AI to generate fast, automated responses to threats or vulnerability remediation. Unlike a traditional SIEM, automated tools in SOAR can take immediate action when the system detects a threat.

• UEBA. This tool also compiles security telemetry, but it provides a more focused view into how users are interacting with the organization’s endpoints and accounts. Its analytical capacity also allows for security teams to create baseline models for normal activity that can help them detect deviations that may indicate attack or insider threats. UEBA’s analysis can go deeper into user behavior, but does not provide the breadth of visibility offered by a SIEM or SOAR.

• XDR. Extended Detection and Response is a relatively new addition to the security stack. It also aggregates telemetry from a variety of sources, including networks, applications, cloud deployments, and servers. In general, its automation and analytic capacity exceeds SIEM, and some solutions support faster MTTD and MTTR. Some security experts see XDR as a superior iteration of a SIEM and even as a legitimate replacement technology. However, the SIEM’s comprehensive visibility, threat hunting, compliance, and other use cases may make these substitutions unrealistic for many enterprises.

Overall, all of these security solutions are meant to help security teams aggregate telemetry from across the enterprise, undertake pattern analysis, and take remedial action in response to alerts. Depending on an organization’s unique security requirements, it may use one or the other of these solutions to fill in gaps that exist between existing tools. SOAR and/or UEBA are sometimes marketed as augmentations for the SIEM, or as part of a next-generation SIEM.

         

SIEM and the SOC Visibility Triad

The SOC Visibility Triad is a security concept that has its roots in strategic defense models, specifically the “SOC nuclear triad.” In 2015, Anton Cuvakin adapted key elements of the nuclear triad to define a core collection of cyber defense capabilities that could apply to and be deployed by a wide variety of enterprises. In essence, the capabilities should help defenders detect and respond to attackers’ activity well before they realize their ultimate objectives.

Since then, the concept has evolved and is now commonly referenced as the “SOC Visibility Triad.”

The SOC Visibility Triad involves three or four technologies, depending on the use case:

• Endpoint Detection and Response (EDR), which monitors endpoints that connect to the network, including computers, servers, laptops and mobile devices. EDR can generate alerts and provide behavioral analysis of activity on the endpoints.

• Network Detection and Response (NDR). NDR provides security teams with wide detection capabilities that expand across network traffic and cloud deployments. It also has alerting capabilities, and also leverages machine learning and AI for analysis and expedited response.

• A Security Information and Event Management (SIEM)

• Extended Detection and Response (XDR)

The SIEM’s role in the SOC Visibility Triad is to act as the repository for data generated by EDR and NDR, along with other data sources. Some security teams see XDR as a potential Triad upgrade that can replace the SIEM, due to its focus on detection and more powerful response capacity. As yet, however, there is no consensus around this choice of tools, and many organizations find the EDR/NDR/SIEM Triad to be effective and mutually reinforcing.

         

How can advanced NDR technology benefit a SIEM?

The effectiveness of a Security Information and Event Management solution depends on the quality of the data it receives. It is especially important that it receives network data, which is considered to be the immutable truth of how the network is used, by whom, and what devices, files, and systems they connect with. The packets and metadata pulled from network traffic also provides the broadest view of real-time activity in the organization. Put together with log data assembled by the SIEM, there is a better chance of the SOC responding to alerts based on a comprehensive view that reveals movement and subsequent actions rather than just an initial intrusion. This can improve MTTD and MTTR to live threats.

With the attack surface of many enterprises expanding rapidly, security teams will need tight integration of SIEM and NDR tools to maintain comprehensive monitoring of digital assets to help improve threat detection and accelerate incident response.

         

Corelight’s Open NDR Platform takes the SIEM and the SOC Visibility Triad to the next level

Corelight's Open NDR Platform can provide rich network telemetry, intrusion detection, advanced detection capabilities including machine learning, and drill down into packets. These capabilities improve threat detection and accelerate incident response increasing SIEM effectiveness for all organizations. Utilizing Zeek® to convert network traffic into comprehensive, correlated evidence and analytics, the platform integrates easily with most SIEM, and helps security teams scale their security architecture in response to an evolving threat landscape.