What is a SIEM?
Security Information and Event Management (SIEM) is the combination of Security Information Management (SIM) and Security Event Management (SEM) systems. SEM systems store and interpret logs for real-time security event analysis enabling defensive actions to be taken more quickly. SIM systems collect data for trend analysis and provide automated reporting. By combining these two technologies together a SIEM provides rapid identification, analysis, and recovery from security events. A SIEM also makes legal compliance and reporting a walk in the park by collecting and managing logs.
Why Are People Talking About SIEM?
A SIEM is hands-down the best way to gain visibility into an environment, in terms of behavior and activity. Log collection and management is now taken care of while being used for active network security. The amount of crucial problems solved by this single tool make it the most viable and attractive solution in many cases.
Easier to identify malicious activity: Threats often go unnoticed for long periods of time which is obviously a huge problem. A hackers main objective is often times to steal data rather than harm the environment so a majority of victims don’t realize a malicious player is in their environment until weeks, months, or even years later. The visibility and correlation capabilities provided by a SIEM allow for a much faster identification and response to certain threats over any other system available.
Compliance: With regulations such as PCI DSS, HIPAA, FERPA, and more coming out by the week, more organizations are deploying SIEM’s primarily for compliance. Compliance reporting can be streamlined through this centralized logging solution. Most SIEM systems have reporting functions that are purpose-built for each type of compliance.
Who Needs One?
Healthcare, Financial, and Education are the three biggest industries that adopt SIEM solutions, but any organization will benefit from a SIEM implementation. This is due to a general push toward better security and increase in regulation. Though initially picking up steam in primarily larger companies the adoption market is starting to shift toward smaller ones that need to improve monitoring and breach detection. This is often at the insistence of larger customers or business partners.
If your answer is/would be “No” to any of the following questions you, it is highly recommended you look into a SIEM solution.
- Do you know everywhere your admin accounts were used today?
- Do you know what other assets your recently compromised system communicated with?
- Can you generate compliance reports in under a minute?
How Does a SIEM Work?
Not all SIEM solutions are identical. Most work by deploying multiple data collection agents or sensors in areas where most/all network traffic travels, usually near a core switch. These agents collect the data from hosts, servers, network equipment, and even dedicated security tools such as firewalls, antivirus, or intrusion detection systems. All of this data is sent to the centralized management console to perform inspections and flag anomalies. There are a multitude of controls to reduce the amount of alarms a SIEM flags. This allows the security analysts to ensure the flow of alarms is manageable. There are also cloud-based SIEM solutions available.
The cost of a SIEM solution varies depending primarily on the size of your log data