Components, best practices, and next-gen capabilitiesRead More
Security Information and Event Management (SIEM) solutions use rules and statistical correlations to turn log entries, and events from security systems, into actionable information. This information can help security teams detect threats in real time, manage incident response, perform forensic investigation on past security incidents, and prepare audits for compliance purposes.
The term SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005. A SIEM combines two types of security systems:
Security Information Management (SIM) – long-term storage, analysis, and reporting of log data from organizational systems, as well as threat intelligence data.
Security Event Management (SEM) – aggregation, correlation and notification for events from other security systems such as antivirus, firewalls and Intrusion Detection Systems (IDS), as well as security events reported directly by authentication systems, SNMP traps, servers, databases etc.
SIEM platforms can aggregate both historical log data and real-time events, and establish relationships that can help security staff identify anomalies, vulnerabilities and incidents.
The main focus is on security-related incidents and events, such as succeeded or failed logins, malware activities or escalation of privileges.
These insights can be sent as notifications or alerts, or discovered by security analysts using the SIEM platform’s visualization and dashboarding tools.
SIEM is a mature technology, and the next generation of SIEMs provide new capabilities:
User Event Behavioral Analysis (UEBA) advanced SIEMs go beyond rules and correlations, leveraging AI and deep learning techniques to look at patterns of human behavior. This can help detect insider threats, targeted attacks, and fraud.
Security Orchestration and Automation (SOAR) – next-gen SIEMs integrate with enterprise systems and automate incident response. For example, the SIEM might lock down a server when a brute force attack on its admin password is detected.
In the past, SIEMs required meticulous management at every stage of the data pipeline - data ingestion, policies, reviewing alerts and analyzing anomalies. Increasingly, SIEMs are getting smarter at pulling data together, from ever more organizational sources, and using AI techniques to understand what type of behavior constitutes a security incident.
The Infosec Institute suggests 10 best practices for successful implementation of a SIEM platform.
Define requirements for monitoring, reporting and auditing, consulting all relevant stakeholders before deploying a SIEM.
Determine the scope of the SIEM – which parts of the infrastructure it will cover, necessary credentials, and log verbosity.
Define audit data accessibility, retention, how to achieve data integrity, evidentiary rules, and disposal for historical or private data.
Access monitoring – transgression and anomalous access to key resources
Perimeter defenses – status of perimeter defenses, possible attacks and risky configuration changes
Resource integrity – critical network resources – status, backups, change management, threats and vulnerabilities
Intrusion detection – incidents reported by intrusion detection, or correlated/inferred using SIEM data
Malware defense – violations, threats, or activity regarding malware controls
Application defenses – status, configuration changes, violations and anomalies for web servers, databases and other web app resources
Acceptable use – status, issues and violations regarding acceptable, mandated or metered use of system resources
Historically, organizations maintained separate Security Information Management (SIM) and Security Event Management (SEM) systems, built on top of Log Management Systems (LMS).
An integrated SIEM managing and correlating historical log data, real-time events and threat intelligence in one place – giving security teams a holistic view of enterprise security data.
Early SIEMs had limited ability to proactively warn about and react to complex security events. New SIEMs perform AI-based behavioral profiling, and can automatically interact with IT and security systems to mitigate incidents.
Next-generation SIEM platforms such as the Exabeam Security Intelligence Platform (SIP) combine end-to-end data collection, analysis and response. Built on scalable, modern big data infrastructure, they use machine learning and data science techniques to perform behavioral modeling and advanced analytics, for comprehensive insider and entity threat detection.