Badge

What's Security Information and Event Management Technology? - SIEM Part 1

What's Security Information and Event Management Technology? - SIEM Part 1

What's Security Information and Event Management Technology?

As far back as memory takes us, there has always been the need to safeguard the information within and outside of an enterprise from growing cybersecurity threats. Security Information and Event Management (SIEM) software is one of the top innovations in security technology. It involves the process of collecting, analyzing, and acting on security-related events, alerts, and reports. It doesn't just focus on a single issue. Rather, it aggregates activity from all resources within an organization to detect any malicious activity within the IT infrastructure. 

Although the concept of SIEM is relatively new, it was developed on two already existing technologies - Security Event Management (SEM) and Security Information Management (SIM). SEM is a software solution that analyzes log and event data in real-time to provide event correlation, threat monitoring, and incidence response. On the other hand, SIM collects, analyses, and reports on log data.  

The extended scope of this technology can be quite complex to handle and requires the skills of specialized IT technicians. Nonetheless, it is important for every stakeholder in a business or organization to understand the basics of how SIEM affects the enterprise. Hence, we will give a breakdown of how SIEM works.


How SIEM Functions

Security Information and Event Management works primarily in a five-step process.

  • Collect data
  • Aggregate data
  • Analyze data
  • Detect security breaches
  • Alert about the detected breach

Data is at the base of how the technology functions, so SIEM starts off collecting data from servers, network devices, domain controllers, firewall logs, antivirus events, etc. It gathers immense amounts of data throughout an organization's system and networks.

The next step involves aggregating the data that has been collected. It stores and consolidates the data, so it is easily accessible to personnel.

Then comes analysis. SIEM analyses network behavior as well as user behavior. It monitors all activity on a centralized platform, from failed and successful logins to malware activity and other categories of sorted data.

The software picks up unusual activity during the analytics process. For instance, 100 failed login attempts in less than 5 minutes is an eyebrow-raiser and will most likely be flagged as an attempted attack.

Finally, such detected anomalies will trigger security alerts since they signal potential security issues. This alert capability allows IT personnel to be more proactive in fighting external threats early on or even preventing them in the first place.


SIEM Tools

The need to provide a holistic view of an organization's information security has driven this technology's adoption. With the SIEM tools available on the market, not only are businesses able to get a comprehensive security solution, but they are also able to meet the compliance requirements of regulatory standards like HIPPA, PCI DSS, and SOC, among others.

The top SIEM tools feature advanced analytics and intelligence capabilities to detect malicious activity more accurately. The dominant solutions in the industry include ArcSight ESM, IBM QRadar, and Splunk.


ArcSight ESM

This Security Information and Event Management tool uses an open architecture to collect and analyze data from an organization's security technologies, operating systems, and applications. A salient point of this tool is that it is capable of gathering data from a vaster range of resources than most other similar products.

The system detects and alerts personnel about perceived threats, and for more accurate reports, it is designed to integrate third-party threat intelligence feeds.

What's more, the software can launch an automatic reaction to combat malicious activity upon detection. IT specialists will find ArcSight very useful as its structured data can be utilized outside of the host platform as well.

IBM QRadar

The smart features embedded in this IBM product are capable of picking up the dynamic nature of ever-changing threats. QRadar can collect log events and data from network devices, applications, operating systems, and user activities within a business information system. Its capabilities do not stop there, but extend to network flow data from cloud-based applications, making it a solid solution for integrating extensive logs across critical systems.

Designed with the latest security assessment technology, this SIEM also supports threat intelligence feeds from third-party apps and analyses data in real-time to promptly stop attacks.

However, it can be complicated to effectively set up this SIEM tool since its complex capabilities come with an equally complex architecture.


Splunk

Available as a cloud service or an in-house security operations center, Splunk is a popular security solution designed as an enterprise-level software. This means it isn't exactly the go-to for SMBs. The scale of capabilities makes it one of the pricier solutions, but it benefits large organizations because it supports as many third-party integrations as are required.

Splunk SIEM provides real-time threat monitoring and rapid investigations. An impressive feature is the visual representations in the form of graphs and charts. 

As one of the oldest SIEM tools, it has proven reliability for detecting the diversity of advanced security threats. And like other modern SIEM solutions, it also supports threat intelligence feeds.


Differences Between SIEM and Other Security Technologies.

While other security tools provide only one security service, SIEM's capabilities consolidate different security technologies together. The major SIEM features span threat detection, investigation, and time to respond. Several additional features exist, including:

  • Basic security monitoring
  • Log collection
  • Normalization
  • Log data storage and tracking
  • Security incident detection
  • Advanced threat detection
  • Forensics and incidence response
  • Notification and alerts
  • Threat response workflow
  • Dashboards and visualizations of data patterns


Difference Between a SIEM and A Log Management Tool

The capabilities of a log management tool are:

  • Log data collection from all operating systems and applications within a network
  • Efficient retention of high volumes of data for extended time lengths
  • Filtering and sorting of event logs as well as a search function for easy location of the required information
  • Reporting on the operational, compliance, or security status of an organization's IT infrastructure.

A log management software (LMS) simply collects logs and events for storage, which is only one aspect of SIEM functionality. While LMS tools were designed to assist systems analysts in reviewing log files for reasons not specific to security, SIEM tools cater to cybersecurity applications.

Also, SIEM software is fully automated while a log management system is not.


Difference Between a SIEM and A Security Information Management (SIM) Product

SIM and SIEM are two concepts that are often used interchangeably in the area of security management by those who are unfamiliar with these products. Although they possess similarities, there are significant differences between their capabilities. SIM software specializes in the following:

  • Collection and storage of log files in a central repository
  • Normalizing and cleaning up logs to reduce network bandwidth congestion
  • Flexible analysis and reporting of log data
  • Reporting for compliance with security regulatory standards like HIPPA, PCI, VISA CISP, etc.

As it focuses on the collection and storage of logs, it bears a striking resemblance to log management. In fact, SIM can be defined as a log management tool built for the purpose of security. Once again, this tool is only a part of SIEM technology.

Another major difference is that SIM's event and data correlation is based on historical analysis, while SIEM processes are carried out in real-time. Hence, preventing an imminent threat would only be possible with SIEM.


Difference Between a SIEM and A Host-Based Security Tool

Host-based security tools are used for detecting security threats against an application or system. They usually focus on the traffic on the server or network interface card (NIC). Their basic capabilities are:

  • Compiling and analyzing traffic data
  • Signature-based monitoring to detect known cyber attack signatures
  • Anomaly-based monitoring to detect unusual network and user behavior

A host-based intrusion detection system (HIDS) is one of the most prominent security technologies for detecting malicious activity. Their architecture allows them only to detect and report vulnerability exploits. On the other hand, a SIEM will go further to take preventive action against the cyberattack. While a SIEM is an active security tool, a HIDS is passive.

SIEM is also more of a network-based application since it focuses on incoming and outgoing traffic through network devices, firewalls, routers, etc.


Difference Between a SIEM and An Asset Management Tool

Asset Management is a system that enables companies to track all IT assets like servers, routers, firewalls, printers, computers, and other connected devices in real-time.

Here's an overview of what an asset management tool does:

It stores details and documents for each asset.

  • It allows analysts to detect all systems connected to the network easily.
  • It helps prioritize system issues to be tackled.
  • It provides a long-term perspective of asset costs.

For large organizations, monitoring thousands of assets on a spreadsheet would be a hassle for employees. With asset management software, the work is made a hundred times easier. However, the scope of this tool is often limited to operational performance rather than detecting security threats within an organization. It only indirectly influences security since a list of all IT assets provides a basis for vulnerability checks.


Difference Between a SIEM and Application Monitoring and Control (AMC) Software

Application Monitoring and Control software monitors and controls the activity of applications in a network.

The practice of application control restricts unauthorized applications from executing in ways that put data at risk. Hence, it ensures the privacy and security of data transmitted between systems. 

The capabilities of AMC software include:

  • Ensuring complete records processing from start to finish
  • Ensuring that only valid data is input and processed
  • Providing an authentication mechanism for application systems
  • Allowing authorized access only to approved business users
  • Ensuring the integrity of data feeds entering the application system

Judging by the scope of coverage, AMC products are useful in reducing the risks of malware and unauthorized third-party intrusion since they eliminate unknown and unwanted applications in the network. 

However, SIEM offers a more comprehensive security solution. It pulls together data from disparate security tools and includes data from network security devices and security applications. It also possesses the intelligence to counter attacks automatically. SIEM often utilizes data from AMC products.


Difference Between a SIEM and An Audit Management Tool

The applications of SIEM are mutually exclusive from Audit Management software. The latter helps companies streamline their audit processes and comply with internal policies and regulatory standards.

  • It automates audit-related tasks for accurate and complete documentation of data.
  • It schedules audits across different departments simultaneously.
  • It implements, analyses, and reports audit results.
  • It allows real-time amendments, even while a program is running.
  • It facilitates storage of audit results for easy access and comparison

Audit management is often used for quality management, and its primary applications are in the health care, pharmaceutical, and food and beverage industries. 

The software can also be used to gather, store and provide data on security events, in which case it could serve as a resource for SIEM processes.

Continued in the next part


Learning Objectives

1. How SIEM Functions

2. SIEM Tools

  • ArcSight ESM
  • IBM QRadar
  • Splunk

3. Differences Between SIEM and Other Security Technologies

  • Difference Between a SIEM and A Log Management Tool
  • Difference Between a SIEM and A Security Information Management (SIM) Product
  • Difference Between a SIEM and A Host-Based Security Tool
  • Difference Between a SIEM and An Asset Management Tool
  • Difference Between a SIEM and Application Monitoring and Control (AMC) Software
  • Difference Between a SIEM and An Audit Management Tool