SIEM stands for Security Information and Event Management. This is a software, which collects and aggregates log data from the entire spectrum of devices (endpoints, network devices, servers, firewalls, IPS/ IDS, IAM, AD etc), in order to make best sense of the situation at hand, and give a real time insight into the organization’s security landscape.
The SIEM software gathers logs in raw format (meaning as they are received from source devices), identifies the sending devices, parses the logs, and processes them to give meaningful insight, enabling security engineers to make better decisions.
The software basically delivers on following objectives:
- Reporting on security and threat related activities, like failed login attempts, port or IP scanning activities, malware detection, security policy breach etc.
- Integration with most of the log sources out there in market and its ability to “understand” the received logs, parsing the logs correctly, indexing the logs for better performance, and correlating these logs for analysis and reporting.
- Getting feedback and continuous updates from the global threat and security database so as to keep abreast of latest threats that might be relevant for your organization’s IT security posture.
- Alarming and reporting based on rules, which come out of the box as well as user-defined custom rules.
Business Value of a SIEM System:
SIEM basically adds big time to the strength of IT security of an organization. This strength is also known as the Security Posture. SIEM strengthens security posture by helping in following areas:
Timely Detection of Security Breaches:
An organization having a well-configured and fine-tuned SIEM will be able to detect security breaches much earlier compared to an organization without any SIEM product. This in turn leads to better and timely containment of security breaches, effective remediation, and prevention of similar breaches in future.
Support for most of market vendors:
Since there are many different devices from many different vendors in the market, it is valuable for any SIEM solution to be able to parse logs sourcing from most of the vendors. Correct parsing of logs is a prerequisite to correct analysis and reporting.
Context awareness is SIEM’s ability to the see the bigger picture of circumstances and situation when security breaches are detected. This would mean for example:
Users who are using systems. Where they logged on as system administrators, or users with lesser privileges or maybe guest users using internet.
Time of the day when the breach is detected. Did the breach happen during day time when most of the staff was in office, or during night time when most of them are away.
The network which the users are connected to. Is the corporate network or home-office.
Criticality and relevance of the system being attacked. Was this a web-server, or an Active Directory or just a test server. How critical the system being targeted is.
Intelligent Processing of the data:
SIEM is a powerful tool with well-written code to process a huge amount of data in a fast and intelligent way to analyze and report as accurately and efficiently as possible. So when a security breach happens, the organization’s security engineers have all the necessary information available in order to take informed decisions an respond effectively. This is especially important in today’s world, which is characterized by increasing sophistication of security attacks, constantly changing threat landscape, and lack of specialist IT security engineers.
Avoiding False Positives:
Another important part of data processing involves producing minimal amount of false positives, so that the security engineers don’t waste time going after false alerts. It requires context awareness and fine-tuning to be able to minimalize false positives.
Logs from real time monitoring systems like firewalls, IDS / IPS, Antivirus etc alongwith context-awareness (users, domain, systems, applications, type of traffic, time of day, home/ office network, criticality of systems etc) , and intelligent processing (built-in / user-defined custom rules, third party applications, robust and high speed algorithms, continuous feed from global threat database) give SIEM an integrated real-time threat detection approach.