What is a SIEM?
Security Information and Event Management (SIEM) is the combination of Security Information Management (SIM) and Security Event Management (SEM) systems. SEM systems store and interpret logs for real-time security event analysis, enabling defensive actions to be taken more quickly. SIM systems collect data for trend analysis and provide automated reporting. By combining these two technologies together, a SIEM provides rapid identification, analysis, and recovery from security events.
How a SIEM works
At a high level, a SIEM solution collects log information from a majority of devices on your network.
- Firewall logs
- Domain controller logs
- Server logs
- Switch logs
- Workstation logs
- Intrusion Prevention/Detection Systems (IPS or IDS) logs
- Logs from any systems with relevant information
Then the SIEM centralizes the log information from all log sources. It then uses sets of standard, complex, and unique rules to generate security alarms based on what is happening in the network. These alarms are then presented on a dashboard with information such as the risk level of the alarm and why it was generated.
A Security Operations Center (SOC) will analyze and investigate these alerts 24x7x365 to detect and respond to potential or real threats and breaches in real time.
Why Are People Talking About SIEM?
A SIEM has become the primary way to gain visibility into an environment, in terms of behavior and activity. Log collection and management is now taken care of while being used for active network security. The number of crucial problems solved by this single tool make it worth its weight in gold, but like any robust solution, it needs constant care and attention to provide its true value. That is why often times you hear the terms XDR and MDR, which are managed solutions that encompass SIEM capabilities, and expand beyond the technology itself.
Enables network-wide cyber threat detection:
Cybersecurity breach’s went unnoticed for an average of 287 days in 2021, which is obviously a huge issue. A cybercriminal’s main objective is often times to steal data while being undetected, so victims don’t realize they are being hacked for a long time. The visibility and correlation capabilities provided by a SIEM allow for much faster identification and response to cyber threats.
Governance, Risk, and Compliance (GRC):
With GRC continually ramping up in almost every industry, many organizations are seeing tremendous value from their SIEM solutions to support these efforts. Compliance reporting can be streamlined through this centralized logging solution. Most SIEM solutions can generate reports specifically for compliance audits. This will strongly impact financial institutions nationwide. The comment period for the new proposed regulation is set to end in June 2019. Multiple specific requirements within this change will leave a SIEM as the most viable business solution for compliance.
Who Needs One?
Any organization that deals with sensitive data should have a SIEM, or a solution with equivalent or better capabilities. Healthcare, Financial Services, Manufacturing, Local Government, Utility Companies, Department of Defense (DoD) contractors, and Education are the types of organizations that we see adopting solutions that include SIEM very rapidly.
Due to the complexity of these solutions, many organizations go the more manageable route to accomplish the same goals by working with an MDR provider, like Sedara.
Below are three questions that can help you understand if you need a SIEM.
- Do you need to improve threat detection capabilities?
- Does your organization have intellectual property or sensitive data to protect?
- Do you need to produce detailed and executive reports on cybersecurity for leadership or compliance?
If the answer is “Yes” to any of the above, then you should consider looking into a SIEM solution.
How is a SIEM deployed?
Not all SIEM solutions are identical. Most work by deploying multiple data collection agents or sensors in areas where most/all network traffic travels, usually near a core switch or behind a main firewall. These sensors can be hardware, software or virtual depending on the manufacturer. These days, most are going towards virtual or light-weight software for the sensors while providing hardware options.
All SIEM solutions have a primary correlation engine or “brain” which requires significantly more power than the sensors. These can be an on-premise appliance, virtual appliance, or cloud-based. Most manufacturers are moving towards cloud-based models. Your servers, network equipment, and even dedicated security tools such as firewalls, domain controllers, or intrusion detection systems are configured to forward their logs to these sensors. All of this data is sent to the centralized management console to perform inspections and flag anomalies. There are a multitude of controls to reduce the number of alarms a SIEM generates. This allows the security analysts to ensure the flow of alarms is manageable.
Evaluating a SIEM for your organization
The cost of a SIEM solution varies depending on the manufacturer. Some size and price their solution by estimating how much log data is will be normalized on a per-second basis. Others by how many devices are in scope. Log retention time may also factors into the price.
A SIEM is a huge investment. You want to ensure you make the right business decision for your organization, otherwise you can easily get stuck between a rock and a hard place. We have helped many organizations navigate tough scenarios.
Biggest SIEM mistakes we see first-hand:
An undersized SIEM. This always leads to an unpleasant experience. The system gets maxed out and may start moving slow or even dropping logs. When scoping a SIEM it is very important to have a good idea of the full list of assets you want to collect logs from. Working with a partner like Sedara can help you identify and prioritize log sources to while scoping for your SIEM to ensure this does not happen.
Some oversize the system and waste tons of money on extra capacity. Again, working with an experienced team can minimize this risk.
Although managing a SIEM is not rocket science, it still requires a certain set of expertise and a lot of time. Oftentimes, we see organizations purchase a SIEM without having a dedicated person to manage it. Without the expertise and attention, the SIEM sits and collects dust until one, or all, of a few things happen.
- They have an audit and can’t get the right information out. This escalates to being stuck between a rock and a hard place with no option but to spend extra money on outside professional help that may not have been previously budgeted for.
- They have a security incident that the SIEM produced an alarm for in real-time, but it was not investigated, and the incident becomes a larger and most costly issue than it should have been.
- The SIEM piles up alarms with a bunch of false positives and becomes overwhelming to try to keep up with. The technology gets blamed and dropped for an alternative, and the cycle repeats itself until proper expertise is brought in.
Most organizations can’t afford to build out an internal 24x7x365 Security Operations Center (SOC). That is why many work with Managed Detection and Response (MDR) providers, like Sedara.
As an MDR provider, we implement and manage an ensemble of cybersecurity solutions, including ISEM, on a daily basis and monitor them 24x7x365 from our Security Operatios Center (SOC). If you have any questions about SIEM, MDR, EDR, Penetration Testing or other cybersecurity services, please contact us at [email protected].