If you’re not a cybersecurity expert, you may be wondering, “What is SIEM anyway?” SIEM is an acronym for Security Information and Event Management. But what does that mean exactly?
Functions of SIEM
The first, most basic function of any SIEM is to centralize all the security notifications from your various security technologies. Your firewalls, IDS/IPS systems, anti-virus console, wireless access points and Active Directory servers all generate tons of security alerts every day. With SIEM, you can collect all of these in one place, with one set of reports and one centralized system for generating notifications. This is usually referred to as a “log aggregation” solution, and unfortunately, this is where many SIEM offerings stop.
The second main function of a SIEM is to provide logging and reporting for compliance purposes. For almost every compliance regulation, there are requirements to log user access, track system changes, and monitor adherence to corporate policies. A good SIEM solution makes these tasks MUCH easier by collecting this data from all your systems. Then, when it’s time for an audit or exam, you can generate the appropriate compliance reports and send them to the appropriate people. Of course, your SIEM must have the needed compliance functionality and reports built-in to be effective, but many SIEM offerings don’t.
The third, and probably most important, function of SIEM is automated cross-correlation and analysis of all the raw event logs from across your entire network. This is where SIEM looks for hidden cybersecurity issues that would otherwise go unnoticed by combining data from several different sources. In order to perform this correlation and analysis, getting the security logs to the SIEM is certainly important. But security logs by themselves just aren’t enough. Let’s say your SIEM receives an alert from your IDS stating that it has detected an attack against one of your servers. Scary, right? These are the types of alerts that you may get woken up in the middle of the night over.
A complete SIEM solution understands what the server is, what applications it’s running, and what configuration it has. This intelligent context helps prevent false positives, meaning you only get woken up when you need to take action. A true comprehensive SIEM solution also gathers full configuration, running applications, and other information from every device to add critical context to events and notifications. This allows the SIEM to notice changes to critical devices such as routers and firewalls – generating notifications when unauthorized changes occur. A full SIEM solution blends threat intelligence feeds, blacklists, and geolocation data to further increase the accuracy – ensuring notifications are actionable, dramatically reducing false positives.
Machine learning systems can be valuable, but they do not replace the need for a SIEM. They are still a single device with a single view of the system and network. The value of SIEM is in the cross correlation of data from all devices including machine learning devices. In addition, some new “magic appliances” must be installed in a very specific place on the network or use a network tap so that all the network flows go through the box. That’s fine, but all those traffic flows must be unencrypted in order for the appliance to understand anything. And in most networks today, a lot of traffic is encrypted. Citrix, VPN sessions, and a lot of other traffic is completely hidden from these devices. Not to mention most malware and other tools hackers commonly use have built in encryption to bypass these systems. While these are great solutions for specific needs, they absolutely do not eliminate or even reduce the need for a SIEM.
Important reasons you need to have a SIEM:
● Gather all your security and event information into a single location to eliminate blind spots
● Detect suspicious behavior without getting bogged down in the mire of false positives.
● Detect problems before they become a breach with accurate analysis and correlation
● Monitor and enforce corporate policies with holistic visibility
● Achieve regulatory compliance including PCI, HIPAA and FFIEC which effectively require you to have a SIEM.
Contact us to learn more about our SIEM services and enhancing your cyber posture.