What is SIEM?

SIEM (Security Information and Event Management) is a solution for cyber security monitoring, detection, and investigation, SIEM collects, manages, and analyzes event logs generated by networks and systems, contributing to early detection of security incidents and prompt response.

SIEM Overview

SIEM Functions

  • Log collection: Collects alert and log data from various devices and applications.
  • Correlate security events: Detect anomalous patterns and signs of attacks by correlating multiple events and logs.
  • Alerts and Notifications: Detects and alerts on anomalous activity and security incidents based on pre-defined rules.
  • Report Generation: Provides information and procedures for rapid response to security incidents and generates workflows and reports for incident management.

SIEM Use Cases in SOC

SIEM is primarily used in a Security Operations Center (SOC), an organization that monitors security within an organization and understands the occurrence of cyber attacks and incidents, SIEM is an important tool for security professionals to support efficient security operations in the following ways

Alert notification through integrated log management: SIEMs manage various logs in an integrated manner and detect signs of abnormal activity or attacks, and alert security personnel. For example, in addition to detecting malware and other unauthorized behavior, SIEM will alert you when suspicious events are detected, such as multiple login attempts to servers where critical information is stored, or use of cloud services not authorized by your company. 

Incident investigation and response: Based on unauthorized or suspicious events, SIEM investigates whether or not it is a cyber attack (normal behavior, access error, etc.). If determined to be a cyber-attack, the route and scope of the attack, including whether it is an external or internal cyber-attack, can be traced to provide clues for incident response. The following measures will be taken

  • If the attack is determined to be an external cyber attack: Block the IP of the access source, change the threshold to be blocked by the security product, etc.
  • If the behavior is caused by an employee: If the employee is violating a policy set by the company (e.g., there is access to cloud storage even though the use of cloud storage is prohibited), issue a warning to the employee, etc.

Reporting: From a medium- to long-term perspective, visualize the status of violations of your company's security policies and the impact of cyber attacks, and create a report. By visualizing what kind of cyber-attacks the company has been subjected to over a period of one month, three months, six months, one year, etc., the company can consider what security measures it should take next.

The main use cases of SIEM are listed above, but the greatest benefit of SIEM for security personnel is the ability to quickly visualize events and log information from multiple different products and link them to the next action.

SIEM Tools

SIEM tools collect and analyze large volumes of data from organization's endpoints in real-time and detect and block cyber threats by working alongside security teams

You need to define rules to help those teams and generate alerts

SIEM tools help as well with:

  • Event logs that can help consolidate data from numerous sources
  • Adding intelligence to raw data obtained from a correlation of events from different logs or sources
  • Automation of security alerts. Most SIEM platforms will allow you to set up direct notifications

SIEM Challenges

xWhile SIEM brings benefits to SOCs and other organizations in terms of improved security and operational efficiency, it also presents the following challenges.

Complex implementation and configuration: SIEMs are complex systems that require time and expertise to implement and configure. Security professionals must continually work to integrate device logs and data sources, configure rules, and tune alerts.

Processing large amounts of log data: A large amount of log data must be processed and analyzed. Appropriate hardware and storage resources are needed to process large amounts of data. It is also necessary to manage log data retention periods and data compression/reduction. 

Ongoing response to false positives and alert overload: SIEMs generate alerts based on predefined rules and patterns. However, false positives (false positives: legitimate activity mistakenly detected as malicious) and false negatives (false negatives: malicious activity missed) can occur. Also, depending on the configuration, a large number of alerts may be received, requiring continuous tuning of alerts and improvement of rules on the user side.

Response after incident detection: When an event is detected in real time, the actual incident must be confirmed and responded to. If security personnel does not tune up alerts ahead of time, they will be required to respond to alerts of various sizes, which may in turn reduce operational efficiency.

Skill and resource requirements: Proper implementation and operation of SIEM requires security analysis and log management skills. It also requires the availability of appropriate resources (personnel, hardware, and software).

Differences between SIEM and XDR

Similar to SIEM as a tool to improve security level and efficiency is XDR (Extended Detection and Response). The differences between SIEM and XDR are as follows:

Data collection targets and contextualization

  • SIEM: Collects, manages, and analyzes events and logs generated within a network or system. Analysis is performed primarily on log data to detect abnormal activity and signs of attacks.
  • XDR: Collects and analyzes telemetry data from multiple data sources, including endpoints, networks, and the cloud. It collects not only security events, but also endpoint file and process information, network traffic data, etc.

Analysis and detection

  • SIEM: Analyzes the collected data according to predefined rules and algorithms. It detects unusual activity or signs of attacks and generates appropriate alerts and warnings. Some products have the ability to perform correlation analysis between mechanical logs. However, the judgment of whether or not an event is a possible cyber attack basically relies on the "human intuition" of the operator.
  • XDR: Based on the threat intelligence (malware, malicious sites, malicious emails, attack methods used by cyber attackers, etc.) possessed by cyber security companies that provide XDR, signs of cyber attacks are determined for the collected telemetry. For example, legitimate tools provided by Microsoft, such as PsExec, Cobalt Strike, and Mimikatz, are often misused in cyber attacks.

Incident Response and Automation

  • SIEM: Provides basic information and procedures for security incidents to assist in incident response; SIEM is primarily focused on alert generation and monitoring, while other products may be required for actual response procedures.
  • XDR: Provides automation and orchestration capabilities to support rapid response to security incidents. Detected threats are analyzed and response guidance is provided in real time.

Dependence on the source

  • The value of a SIEM solution is directly related to the sources from which it obtains its information. If there are gaps in the coverage, they are often noticed late or not at all.
  • In consequence, if we compare SIEM to XDR, we should also point out that in most cases it is not an either/or decision. More often it is XDR and SIEM since SIEMs get most value from Detection & Response logs. How about this as “famous last word”:
  • Due to the dependence of a SIEM solution on the quality of information generated by third-party providers, it often happens that both variants are used in parallel and XDR solutions pass the pre-correlated data on to the SIEM.

SIEM

Related Information