SIEMs make up a $2 billion industry, SIEM stands for (Security Information and Event Management). A SIEM is responsible for collecting and analyzing security data that is collected from the different systems within a network to find abnormal behavior and potential cyberattacks. Some common technologies that feed data into a SIEM for analysis are firewalls, antivirus, applications and network infrastructure devices. SIEMs provide their analysis in two main ways:
They create reports on incidents and events that can be used to determine what is occurring on your network.
They can be set up to send alerts when a certain set of events take place, using predetermined rules. For example you can set up a rule that if an admin account has more than 5 failed logins in a row to send out an alert because it may indicate an attempted unauthorized login.
How does a SIEM work?
1) It Collects Data from different Sources: Firstly, you must configure your SIEM to get data from all of the data sources of interest to you. This includes things like network devices, endpoints, domain controllers and any other device that you want to monitor and do analysis on.
2) Aggregate The Data: Once all of the devices you care about are connected to the SIEM, the SIEM must aggregate and normalize the data coming from all of those different sources so that it can be analyzed. Aggregation is the process of moving data from different sources into a common repository, think of it as collecting data from all devices in one place. Normalization, means taking different events from several different places and putting them into common categories so that analysis can be. One common example of this is if you have devices in different time zones, the SIEM will convert them all to one time zone so a consistent timeline can be created. Lastly, the SIEM can do what is called data enrichment by adding supplemental information such as geo-location, transaction numbers or application data that will allow for better analysis and reporting.
3) Create Policies and Rules: SIEMs allow you to define profiles, which specify how a system should behave under normal conditions. Some SIEMs use machine learning to automatically detect anomalies based on this normal behaviour. However, you can also manually create rules and thresholds that determine which anomalies are considered a security incident. Now when the SIEM is analyzing the data that comes in, it will compare it to your normal profile and the rules you created to determine if something is wrong with your systems and requires investigation.
4) Analyze The Data: Here the SIEM will look at the data to determine what has happened among the different data sources, identify trends and discover any threats based on the data. Also, if you create rules for a certain threshold such as 5 failed login attempts then the SIEM can raise alerts when those rules are violated.
5) Assist in the investigation: Once an investigation has been started security professionals can query the data stored in the SIEM to pinpoint certain events of interest. This allows investigators to trace back events to find the root cause of an incident and provide evidence to support their conclusions.
Benefits of a SIEM
Threat Detection: A SIEM allows for real time detection of threats, even zero day threats. A zero day threat, is one that has not been seen before. The way many antivirus or anti malware solutions work is that they have a signature that corresponds to a specific attack and if they scan a file and see that signature they know that it is malicious and can block it. However, with zero day threats they don’t have a known signature so many traditional solutions will not work. But SIEMs allow for you to detect even these types of attacks because it’s looking for suspicious behaviour, not signatures. It can also help in detecting Advanced Persistent Threats(APTs), which is an attack vector that gets access to a system and remains undetected on the network for an extended period of time.
Compliance Reporting and Auditing: SIEMs can be used to aggregate log data from across a company and present it in an audit ready format. Many SIEMs now automatically provide monitoring and reporting to meet standards like HIPAA, PCI/DSS, SOX, FERPA and HITECH. This information proves to auditors and regulators that the proper safeguards are in place and can provide confirmation that any security incidents have been detected and contained.
Forensics and Incident Response: SIEMs can store huge amounts of logs files and event data from devices all across the network. SIEMs can also perform quick analysis and correlation of that data. This means forensic analysts can easily generate accurate and court admissible evidence. Since many forensic investigations have the potential to go to court this is invaluable and it also allows for you to draw accurate conclusions of what happened during a security incident.
Conclusion
SIEMs are a great way to organize and analyze the data within your network to quickly detect threats. Additionally, they allow you to have an accurate record of events that you can search for investigations, gather evidence for court or to prove compliance for different standards like HIPAA, PCI/DSS, SOX and GDPR. For years they have been one of the best ways to turn raw data into actionable security information and that is not likely to change in the near future.