A firewall, an intrusion prevention system (IPS), and endpoint protection software are security weapons that almost all organizations have in their armory to defend themselves against cybercriminals. But when it comes to bringing out the big guns to help protect the network and the corporate data assets stored on it, an increasing number of organizations of all sizes are turning to Security Incident and Event Management (SIEM) systems.
That’s because SIEM systems offer functionality that goes beyond more traditional security devices. According to Gartner, a SIEM system’s key roles are to:
- Collect security event logs and telemetry in real time for threat detection and compliance use cases.
- Analyze telemetry in real time and over time to detect attacks and other activities of interest.
- Investigate incidents to determine their potential severity and impact on a business.
- Report on these activities.
- Store relevant events and logs.
Automated Threat Responses
In the near term to medium term, the extra functionality which is most likely to become commonly available is automated security response capabilities. Today automated responses to detected threats are comparatively rare because of worries about the disruption that could be caused in a production environment if a false positive is triggered. For that reason automated responses tend only to be used by organizations that want to adopt the very highest security posture. But in future it is likely that automated responses may become the norm when faced with sophisticated attacks from cybercriminals using automated attack tools.
Artificial intelligence (AI) and machine learning capabilities are also likely to become increasingly important features of SIEM systems in the future, as they may enable automated responses far more quickly, appropriately, and with less risk of unexpected disruption.
SEM and SIM
Two important subsets of SIEM are security event management (SEM) and security information management (SIM). In general, SEM is concerned with real-time monitoring of logs and the correlation of events, while SIM involves data retention and the later analysis and reporting on log data and security records. This is often carried out as part of a forensic analysis to establish how a security breach occurred, which systems and data may have been compromised, and what changes need to be made to prevent a similar breach. Most modern SIEMs can be used to carry out both SEM and SIM.
SIEM for Medium-sized Companies
In the past, SIEM systems were only used by very large enterprises, but over the past few years they have become accessible to medium-sized organizations as well, according to Oliver Rochford, a cybersecurity expert and former research director at Gartner. He says one problem with SIEM systems is that in order to operate them, organizations need one or two people to oversee them 24 /7. In most cases only large organizations have the security resources available to do this themselves, but a solution for medium sized companies is to use a managed service, or to oversee the SIEM system during office hours and rely on a managed service to provide “out of hours” cover.
Threat Detection as a Driver to Adoption
Another reason that the appeal of SIEMs has broadened is that previously the main driver for adoption was compliance — an issue which is more likely to affect larger companies. While compliance is still an important factor, a bigger driver now is threat management, (and specifically threat detection and response). Many new deployments are undertaken by organizations with limited security resources but requirements to improve monitoring and breach detection, often at the insistence of larger customers or business partners, according to Gartner.
“Look at ransomware – that’s a threat that mid-sized companies are very interested in detecting,” says Rochford. “Ransomware is typically very compact and then it connects to a C&C (command and control) center. So you may be able to detect a phishing email that delivers it, or its communication, or indicators of a compromise like new processes starting. A SIEM will allow you to centralize and review this information and maybe detect the ransomware.”
By the end of last year, the SIEM market was worth some $3.58 billion, up from $3.55 billion in 2019 according to Gartner. This is very similar to the value of the global network security firewall market, which was worth some $3.48 billion in 2020, according to Allied Market Research.
What SIEM Brings to the Network Security Fight
So what exactly can a SIEM system do to help organizations gain the upper hand against cybercriminals? Here are some of the most important ways that a SIEM system can help:
- Ingestion and interpretation of logs from network hardware and software. A key differentiator of SIEM tools is the number and variety of log sources that they can connect to out of the box for data aggregation purposes. Although it is usually possible to build a connector to an individual device or application, this can be costly and time consuming and therefore impractical for more than a handful of log sources. Certain vendors, such as Splunk, are notable for the large number of applications that they can ingest data from.
- Ability to connect to regularly updated threat intelligence feeds. Many companies only make use of the feed(s) included with the SIEM product or service they buy, but commercial feeds from third parties and open source threat intelligence feeds are also available. These can be valuable because research shows that their contents do not overlap to a high degree, and the more information a SIEM has about security threats the more likely it is to detect them.
- Correlation and Analytics. This is the bread and butter of SIEM technology, and it involves tying together different occurrences reported in logs to spot the indications of a compromise — for example: a port scan followed by user access to certain types of data, or user entity behavior that can indicate an internal threat.
- Advanced Profiling. All SIEMs carry out correlation and analysis, but advanced profiling is less common (although it is becoming increasingly prevalent). It works by establishing baseline or “normal” behavior for a number of characteristics on a network. It then carries out behavioral analytics to spot deviations from the norm.
- Providing alerts. Perhaps the most important feature of a SIEM tool is the ability to use the features described above to alert security staff quickly about possible security incidents. Alerts can be displayed on a centralized dashboard (see below) or provided in a number of other ways including via automated emails or text messages.
- Data presentation. An important function of a SIEM is to make the interpretation of data from multiple sources easier by presenting it in the form of easily comprehensible graphics on a security dashboard display.
- Compliance. SIEM technology is commonly used to collate events and logs and to generate compliance reports to meet specific compliance requirements, eliminating tedious, costly and time-consuming manual processes. Some offer integration with the Unified Compliance Framework, enabling a “collect once, comply with many” approach to compliance reports.