What is a SIEM?
Security Information and Event Management (SIEM) is the combination of Security Information Management (SIM) and Security Event Management (SEM) systems. SEM systems store and interpret logs for real-time security event analysis which enables quick defensive action. SIM systems collect data for trend analysis and provide automated reporting. By combining these two technologies together, a SIEM provides rapid identification, analysis, and recovery from security events.
How a SIEM works
At a high level, a SIEM solution collects log information from a majority of devices on your network like:
- Firewall logs
- Domain controller logs
- Server logs
- Switch logs
- Workstation logs
- Intrusion Prevention/Detection Systems (IPS or IDS) logs
- Logs from any systems with relevant information
Then, the SIEM centralizes the log information from all log sources. It then uses sets of rules to generate security alarms based on what is happening in the network. These alarms are presented on an informational dashboard that shows the risk level of the alarm and why it was generated.
A Security Operations Center (SOC) will analyze and investigate these alerts 24 x 7 x 365 to detect and respond to potential or real threats and breaches in real-time.
Why Are People Talking About SIEM?
A SIEM has become the primary way to gain visibility into an environment. Log collection and management are used for active network security. The number of crucial problems solved by this single tool makes it worth its weight in gold. But, like any robust solution, it needs constant care and attention to provide its true value. That is why oftentimes you hear the terms XDR and MDR, which are managed solutions that encompass SIEM capabilities, and expand beyond the technology itself.
SIEM Enables Cyber Threat Detection
Cybersecurity breach’s went unnoticed for an average of 287 days in 2021, which is a huge issue. A cybercriminal’s main objective is to steal data while being undetected, so victims don’t realize they are being hacked for a long time. The visibility capabilities provided by a SIEM allow for much faster identification and response to cyber threats.
Governance, Risk, and Compliance (GRC)
With GRC continually ramping up in every industry, many organizations are seeing tremendous value from their SIEM solutions to support these efforts. Compliance reporting can be streamlined through this centralized logging solution.
Most SIEM solutions can generate reports specifically for compliance audits. This will strongly impact financial institutions nationwide. The comment period for the new proposed regulation is set to end in June 2019. Multiple specific requirements within this change will leave a SIEM as the most viable business solution for compliance.
Who Needs a SIEM?
Any organization that deals with sensitive data should have a SIEM, or a solution with equivalent or better capabilities. Healthcare, Financial Services, Manufacturing, Local Government, Utility Companies, Department of Defense (DoD) contractors, and Education are the types of organizations that we see adopting solutions rapidly.
Below are three questions that can help you understand if you need a SIEM.
- Do you need to improve threat detection capabilities?
- Does your organization have intellectual property or sensitive data to protect?
- Do you need to produce detailed and executive reports on cybersecurity for leadership or compliance?
If the answer is “Yes” to any of the above, then you should consider looking into a SIEM solution.
How is a SIEM deployed?
Not all SIEM solutions are identical. Most work by deploying multiple data collection agents or sensors in areas where most/all network traffic travels, usually near a core switch or behind a main firewall. These sensors can be hardware, software, or virtual depending on the manufacturer. These days, most are going towards virtual or lightweight software for the sensors while providing hardware options.
All SIEM solutions have a primary correlation engine or “brain” that requires significantly more power than sensors. These can be an on-premise appliance, virtual appliance, or cloud-based. Most manufacturers are moving towards cloud-based models. Your servers, network equipment, and even dedicated security tools such as firewalls, domain controllers, or intrusion detection systems are configured to forward their logs to these sensors. All of this data is sent to the centralized management console to perform inspections and flag anomalies. There are a multitude of controls to reduce the number of alarms a SIEM generates. This allows the security analysts to ensure the flow of alarms is manageable.
Evaluating a SIEM For Your Organization
The cost of a SIEM solution varies depending on the manufacturer. Some size and price their solution by estimating how much log data is will be normalized on a per-second basis. Others by how many devices are in scope. Log retention time may also factor into the price.
A SIEM is a huge investment. You want to ensure you make the right business decision for your organization, otherwise, you can easily get stuck between a rock and a hard place. We have helped many organizations navigate tough scenarios.
The Biggest SIEM Mistakes We See
An undersized SIEM always leads to an unpleasant experience. The system gets maxed out and starts moving slowly or even dropping logs. When scoping a SIEM it is important to have a good idea of the full list of assets you want to collect logs from.
Some SIEMs oversize the system and waste tons of money on extra capacity. Again, working with an experienced team can minimize this risk.
Although managing a SIEM is not rocket science, it still requires a certain set of expertise and a lot of time. Oftentimes, we see organizations purchase a SIEM without having a dedicated person to manage it. Without the expertise and attention, the SIEM sits and collects dust until the following happens:
- The organization has an audit and can’t get the right information out. This escalates to being stuck between a rock and a hard place with no option but to spend extra money on outside professional help that may not have been previously budgeted for.
- The organization has a security incident that the SIEM produced an alarm for in real-time, but it was not investigated, and the incident becomes a larger and most costly issue than it should have been.
- The SIEM piles up alarms with a bunch of false positives and becomes overwhelming to try to keep up with. The technology gets blamed and dropped for an alternative, and the cycle repeats itself until proper expertise is brought in.
Most organizations can’t afford to build out an internal 24x7x365 Security Operations Center (SOC). That is why many work with Managed Detection and Response (MDR) providers, like Sedara.
How Sedara Can Help You
As an MDR provider, we implement and manage an ensemble of cybersecurity solutions, including ISEM, on a daily basis and monitor them 24x7x365 from our Security Operatios Center (SOC). If you have any questions about SIEM, MDR, EDR, Penetration Testing or other cybersecurity services, please contact us.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.