What is a SIEM?
Security Information and Event Management (SIEM) is the combination of Security Information Management (SIM) and Security Event Management (SEM) systems. SEM systems store and interpret logs for real-time security event analysis enabling defensive actions to be taken more quickly. SIM systems collect data for trend analysis and provide automated reporting. By combining these two technologies together a SIEM provides rapid identification, analysis, and recovery from security events.
How a SIEM works
At a high level, a SIEM solution collects log information from a majority of devices on your network - firewall logs, server logs, switch logs, workstation logs, Intrusion Prevention/Detection Systems (IPS or IDS) logs, and logs from any systems with relevant information for security and compliance. Then the SIEM centralizes and correlates the log information to generate security alarms. These alarms are then presented on a dashboard with information such as the risk level of the alarm and why it was generated.
A cybersecurity analyst monitors and investigates these alarms 24x7 to ensure there was not a cybersecurity incident or breach. This is a layer of threat detection that cannot be provided by any cybersecurity prevention solutions such as a firewall or IPS. Most SIEM solutions make legal compliance and reporting a walk in the park by enabling cybersecurity teams to generate reports based on all of the log information from their infrastructure with ease.
Why Are People Talking About SIEM?
A SIEM is rapidly becoming the primary way to gain visibility into an environment, in terms of behavior and activity. Log collection and management is now taken care of while being used for active network security. The number of crucial problems solved by this single tool makes it worth its weight in gold, but like any robust solution, it needs constant care and attention to provide its true value.
Easier to identify malicious activity:
Threats often go unnoticed for long periods of time which is obviously a huge problem. A cybercriminal's main objective is often times to steal data rather than harm the environment so a majority of victims don’t realize a malicious player is in their environment until weeks, months, or even years later. The visibility and correlation capabilities provided by a SIEM allow for much faster identification and response to certain threats.
With regulations such as PCI DSS, HIPAA, FERPA, and more coming out by the week, more organizations are deploying SIEM’s primarily for compliance. Compliance reporting can be streamlined through this centralized logging solution. Most SIEM systems can generate reports specifically for compliance audits. GLBA is shaping up to adopt multiple specific technical requirements from the recent New York State cybersecurity regulation, 23 NYCRR 500 (DFS 500). This will strongly impact financial institutions nationwide. The comment period for the new proposed regulation is set to end in June 2019. Multiple specific requirements within this change will leave a SIEM as the most viable business solution for compliance.
Who Needs One?
Healthcare, Financial, Department of Defense (DoD) contractors, Manufacturers, and Education are the main types of organizations that adopt SIEM solutions, but any organization's cybersecurity posture will benefit from a SIEM. This is due to a general push toward better security and an increase in regulatory pressure. Though initially picking up steam in primarily larger companies, adoption is starting to shift toward smaller ones at the insistence of larger customers or business partners. Otherwise known as push-down compliance.
If your answer is/would be “No” to any of the following questions, we highly recommend that you look into a SIEM solution.
- Do you know everywhere your admin accounts were used today?
- If a system is recently compromised, would you be able to tell what other systems it had communicated with over the last month or six months?
- Can you easily generate most of your compliance reports?
If your answer is/would be “Yes” to any of the following questions, we highly recommend that you look into a SIEM solution.
- Does your organization have NIST, ISO, PCI, DFARS, HIPAA, FERPA, 23 NYCRR 500, or GLBA compliance?
- Does your organization have intellectual property?
- Do you provide services or products to the Department of Defense or any large Financial Institutions?
How is a SIEM deployed?
Not all SIEM solutions are identical. Most work by deploying multiple data collection agents or sensors in areas where most/all network traffic travels, usually near a core switch or behind a main firewall. These sensors can be hardware, software or virtual depending on the manufacturer. These days, most are going towards virtual or light-weight software for the sensors while providing hardware options.
All SIEM solutions have a primary correlation engine or "brain" which requires significantly more power than the sensors. These can be an on-premise appliance, virtual appliance, or cloud-based. Most manufacturers are moving towards cloud-based models. Your servers, network equipment, and even dedicated security tools such as firewalls, antivirus, or intrusion detection systems are configured to forward their logs to these sensors. All of this data is sent to the centralized management console to perform inspections and flag anomalies. There are a multitude of controls to reduce the number of alarms a SIEM generates. This allows the security analysts to ensure the flow of alarms is manageable.
Evaluating a SIEM for your organization
The cost of a SIEM solution varies depending on the manufacturer. Some size and price their solution by estimating how much log data is will be normalized on a per-second basis. Others by how many devices are in scope. The amount of time instantly-searchable logs must be kept also factors into the price for some.
A SIEM is a huge investment. You want to ensure you make the right business decision for your organization otherwise you can easily get stuck between a rock and a hard place. We see this happen with a lot of organizations.
Biggest SIEM mistakes we see first-hand:
- Purchasing an improperly-scoped SIEM
- Some organizations end up with an undersized SIEM. This always leads to an unpleasant experience. The system gets maxed out and audits are a nightmare because not all of the proper data sources are tied in because there were too many. Searching the maxed out alarm index takes a painstakingly long time because it is oversubscribed.
- Some oversize the system and waste tens or hundreds of thousands of dollars on a system that they are only utilizing a portion of.
- Not accounting for the required manpower (Sedara estimates an average of 21 hours per week to properly manage a SIEM)
- Although managing a SIEM is not rocket science, it still requires a certain set of expertise that is uncommon throughout the workforce at this point in time. Oftentimes we see organizations purchase a SIEM without having 21 hours per week between their team to manage it. Without the expertise and attention, the SIEM sits and collects dust until one of a few things happen.
- They have an audit and can't get the right information out. This escalates to being stuck between a rock and a hard place with no option but to spend extra money on outside professional help that was not previously budgeted for.
- They have a security incident that the SIEM produced an alarm for in real-time, but it was not investigated and the incident becomes a larger issue.
- The SIEM piles up alarms with a bunch of false positives and becomes overwhelming. The SIEM typically gets blamed and dropped for an alternative SIEM and the cycle repeats itself until proper expertise is brought in.
- Some organizations simply cannot provide the expertise in-house to properly manage their SIEM. You are essentially choosing to build your own Security Operations Center (SOC). Imagine hiring and training an analyst for 6 months before that analyst leaves for a higher-paying job with the new skillset you just helped them build. It is tough for most organizations to justify managing a SIEM solution with in-house expertise over a less-risky, more reliable and cost-effective partnership alternative.