What is Security Information and Event Management (SIEM)?

SIEM Definition

Security information and event management (SIEM) is a set of tools and services that combine security event management (SEM) and security information management (SIM) functionality to enable analysts to examine log and event data, understand and prepare for threats, and retrieve and report on log data. SIM focuses on collecting and managing logs and other security data while SEM involves real-time analysis and reporting. SIEM systems combine the management of SEM and SIM security information.

SIEMs provide visibility into malicious activity by pulling data from all corners of an environment and aggregating it into a single centralized platform, where it can be used to qualify alerts, create reports, and support incident response. The ability to scan data from all applications and network hardware at any time helps organizations recognize potential security threats before they have a chance to disrupt business operations.

What are the benefits of a SIEM?

A SIEM provides organizations with four types of security benefits:

1. Efficiency
A SIEM uses automation and machine learning to improve visibility, lighten the workload in the SOC, and provide more reliable and powerful reporting for IT and compliance purposes.

2. Threat Prevention and Mitigation
SIEMs make large amounts of data accessible to humans, so threats can be prioritized and dealt with more easily and quickly, no matter where in the environment they occur.

3. Cost savings
Because a SIEM increases the efficiency of the security team by automating low-level tasks and increasing the speed at which they can process events, it reduces the cost of operating a SOC.

4. Compliance
SIEMs can include built-in compliance reports that prevent breaches and make audits much easier and faster. It also reduces compliance costs.

SIEM Capabilities

In addition to the various benefits that a SIEM can provide to organizations, it is important to understand the specific capabilities of a SIEM that can help the organization’s security teams operate.

• Data aggregation: Consolidates data from many systems, making searches easier and faster.
• Threat detection: Analyzes behavioral data collected from the environment and exposes suspicious patterns.
• Forensic investigations: Performs in-depth analysis of major security events using advanced tools to provide unalterable evidence that can be useful in court.
• Compliance and Audit: Supports PCI-DSS, HIPAA, GDPR, SOx and other regulations by enabling enhanced perimeter security, real-time threat detection, log visibility, access control, and automated reporting and documentation.

SIEM use cases

• Monitor, correlate and analyze activity across multiple systems and applications
• Prevent external and internal threats by monitoring user activities such as those with privileged access (internal and third-party), users with access to critical data assets like intellectual property and executives
• Monitor access to server and database resources and provide data exfiltration monitoring capabilities
• Provide compliance reports
• Mitigate IoT threats such as DoS attacks and flag compromised or at-risk devices in the environment
• Improve the orchestration and automation of incident response workflows

How does a SIEM work?

A SIEM works by collecting log and event data from an organization’s applications, servers, security devices, and systems into a centralized platform. Then, a SIEM will sort this data into categories and analyze it to detect deviations from the rules of behavior set by your organization’s IT teams to identify potential threats. For example, SIEM may classify deviations as “malware activity” or “login failures”. Deviations will prompt the system to alert security or IT analysts to further investigate the unusual activity.

Features of a SIEM

A SIEM is a set of tools and services that includes:

1. Dashboard
A single pane provides SOC personnel with a user-friendly way to interact with data, manage alerts, track the status and activity of vulnerability protection products, and identify systems that are no longer scanned looking for vulnerabilities.

2. Analytical skills
Obtains insights from large amounts of data and applies machine learning to automatically identify hidden threats. Analytics-based SIEMs can combine IT operational data and security information to help identify a specific vulnerability.

3. Advanced Threat Detection
Uses network security monitoring, endpoint detection and response, sandboxing, and behavior analysis to identify and quarantine potential new threats, and correlates defenses between different styles of advanced persistent threats.

4. Threat Intelligence
Correlates current data on indicators of compromise and adversary tactics, techniques, and procedures in context with other incident and activity information to facilitate the disclosure of anomalous events.

5. Compliance Reports
Logs from each host that should be included in reports are regularly and automatically pushed to SIEM, where they are aggregated into a single report that can be customized for rich compliance reporting on one or more hosts. Reporting capabilities comply with mandatory requirements for PCI DSS, HIPAA, GDPR, and SOX.

Limits of a SIEM

SIEMs cannot always provide full context on unstructured data. This can lead to false alerts and security teams may have difficulty diagnosing and researching security events due to the high volume of alerts and data provided by SIEM. Responses to alerts can be delayed or ignored because analysts don’t understand which alerts require special attention. SIEMs do not replace corporate security controls such as intrusion prevention systems, firewalls, or anti-virus technologies. SIEM itself does not monitor events as they occur in the enterprise in real time, but rather uses log data recorded by other software to determine that an event has occurred.

Gartner recommends that “security and risk managers are increasingly looking for security information and event management solutions with capabilities that support early detection, investigation, and response to attacks. . Users must balance advanced SIEM capabilities with the resources needed to run and tune the solution. »2

CrowdStrike partners Splunk and IBM are named in the 2020 Magic Quadrant for Security Information and Event Management report.

Splunk

Splunk integrates CrowdStrike’s next-generation endpoint protection and threat intelligence into Splunk Enterprise Security (ES) to help organizations prevent, detect, and respond to threats in real time. Deployment is fast, scalable, and enables faster detection and response to threats.

CrowdStrike and IBM

CrowdStrike and IBM together deliver a holistic view of an organization’s threat landscape so users can proactively behave based on complete visibility and automated intelligence.

¹Gartner “Critical Capabilities for Security Information and Event Management,” Gorka Sadowski, et al, February 24, 2020
²Gartner “Magic Quadrant for Security Information and Event Management”, Kelly Kavanagh, et al, February 18, 2020

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.