Security Information and Event Management (SIEM) software is the security management tool that helps security teams to collect, log, store, and understand data to identify potential security threats. A SIEM allows security analysts to view data about an organization’s security from a single point of view, to help more easily identify threats.
They are also used for security compliance efforts. SIEMs may generate reports as evidence of a company’s adherence to compliance requirements. SIEMs are frequently described as a tool to help security analysts find the needle in the haystack and have been adopted by most enterprises.
SIEMs are a combination of two key technologies: Security Information Management and Security Event Management.
Security Information Management
Security Information Management is concerned with the management of data. This includes the efficient organization of data via centralized log collection, storage, searching, and reporting. Within a SIEM, data collection is critical.
The proper data is compiled for use in analysis, detection, or threats. Legacy SIEMs are powerful tools for data logging. However, volume pricing models can be prohibitive, and prevent many organizations from collecting the information they would like to due to budget constraints.
Security Event Management
Security Event Management is responsible for threat detection and incident management through real-time analysis and correlation rules for incident detection. It also provides helpful features like case management, which supports ticketing services. Detection and response are important parts of a SIEM, but in many ways are lacking.
Threats need to be appropriately detected. The method of detection varies based upon the SIEM, however, most legacy SIEMs rely on static correlation for detection. Static detection is unable to detect more complex or unknown attacks, which makes it an incomplete defense when dealing with the threats of today.
After a threat is detected, it must be acknowledged and a response must be issued. Responses vary drastically depending upon the threat, however, responses typically involve several phases, such as investigation, containment, mitigation, or remediation. Unfortunately, most legacy SIEMs only offer case management. While case management is useful, a security team will typically need more to help them stay on top of their extensive workload.
SIEMs are accessible through several different potential architectures, including software installed on an onsite server, onsite hardware appliance, onsite virtual appliance, or cloud-based service.
Also See: Exabeam Product: SIEM