Security information and event management (SIEM) is an approach to security management that has been very much in vogue in recent years, although it is by no means new. It combines the SIM (security information management) and SEM (security event management) functions in a single system. The principles behind any SIEM system are to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. For example, when a potential problem is detected, a SIEM system might record additional information, generate an alert and instruct other security controls to stop the progress of an activity. At the most basic level, a SIEM system may be rule-based or use a statistical correlation engine to establish relationships between event log entries.
Advanced SIEM systems, which we will see later, have evolved to include user and entity behaviour analysis (UEBA) and security orchestration, automation and response (SOAR). Payment Card Industry Data Security Standard (PCI DSS) compliance originally drove SIEM adoption in large enterprises, but concerns over advanced persistent threats (APTs) have led even smaller organisations to consider the benefits that SIEM service providers can offer. Being able to look at all security-related data from a single point of view makes it easier for companies of all sizes to spot patterns out of the ordinary stream. In fact, SIEM systems work by deploying multiple collection agents in a hierarchical manner to obtain security-related events from end-user devices, servers and network equipment, as well as specialised endpoints, firewalls, antivirus or intrusion prevention systems. A centralised management console links the points and prioritises the various incidents.
The activities of a SIEM
Generally speaking, SIEM tools provide real-time visibility through an organisation’s information security systems. Then, an event log management that consolidates data from numerous sources. A correlation of events collected from different logs or security sources, through rules that add important information to the raw data and automatic notifications of critical events. The operation process of a SIEM can be summarised by considering the collection of data, the consolidation of policies, the correlation of data and the sending of notifications if an event or set of events triggers an alarm.
Since many advanced threats have taken on the characteristic of being polymorphic, rather than static, the need to monitor how they modify their behaviour to evade protection measures becomes essential. We are then talking about a new type of system, the Next Generation SIEM, which must not only process more data, but also become much more capable of recognising new patterns within them. Next Generation SIEMs, sometimes referred to as analytic SIEMs or SIEM 3.0, have brought renewed integration capabilities into an enterprise infrastructure, thanks to an open architecture that acts as the glue between cloud, on-premise and BYOD. Using scenario and behavioural analysis to highlight significant changes in operations, they continue to take in information from multiple sources, but enrich it with the implementation of AI and Machine Learning, to increase the defence of the IT system.
Another important feature of Next Generation SIEMs is the use of User and Entity Behaviour Analytics (UEBA). UEBA focuses on monitoring and analysing the behaviour of an organisation’s users. This can be extremely useful in helping companies identify compromised accounts, as well as threats from internal insiders. UEBA uses advanced machine learning and behavioural profiling techniques to identify anomalous activity and, because it is not rule-based, is more effective at detecting anomalies over time. Next Generation SIEM can be part of the broader service of a SOC as a Service, which eliminates the expense of installation and staff training, to put the most advanced techniques for analysing, detecting and responding to security issues in the hands of the customer.
In the wider European context of the General Data Protection Regulation, SIEMs can help with GDPR Compliance Data protection by design. For example, verifying and auditing security controls, to show that user data underwent appropriate treatment. But also for visibility into log data – providing structured access to log information to enable reporting to individual data owners. And to monitoring critical changes to credentials, security groups, and so on; auditing databases and servers storing PII, and automatically tracking assets that store sensitive data. Lastly to send breach notification – detecting data breaches, alerting security staff, analyzing the incident to uncover full impact, and quickly generating detailed reports as required by GDPR.
Most services follow a quote-based pricing model and offer a free trial. SolarWinds and Splunk are the best solutions for SIEM. McAfee ESM is one of the popular SIEM software and has features such as priority alerts and dynamic data presentation. ArcSight ESM is good for source ingestion and is available through appliance, software, AWS and Microsoft Azure. IBM Security QRadar supports the Linux platform and focuses on critical incidents. LogRhythm is an AI-based technology and can process unstructured data. AlienVault has multiple security capabilities and will provide automated asset discovery. RSA NetWitness will provide comprehensive incident management. EventTracker is a platform with multiple capabilities and has features such as customisable dashboard tiles and automated workflows. Securonix is the next generation SIEM platform based on Hadoop.