As one of the main kinds of security software and services, SIEM (Security Information and Event Management; pronounced either like “seem” or like “sim”) can be one of the more straightforward to understand. While it often does involve some advanced AI techniques, it’s a kind of software or service that gives your IT team eyes on what your endpoints (workstations and servers) and network devices (like your firewall) are doing at a deep level.
SIEM differs from network security monitoring (like intrusion detection) because it doesn’t look for what’s happening on the network, but rather, it looks at what’s happening on devices. The difference may be confusing if you think about it for too long; the two are part of a depth-in-defense strategy that gives you as much information as possible about ongoing security incidents on your network. Today, we’ll take a look at what SIEM does and why it’s an important part of a modern approach to network security.
The Core Elements of SIEM: Logging
Security Information and Event Management came about as a security platform that mostly deals with logs: the digital paper trail for anything that a device (or piece of software) does. As your operating system or router, for example, perform their everyday tasks, they record quite a bit of information about what it’s doing.
This is because logs typically record successes and failures; if something goes wrong at the system level, you’ll find a record of it in the Event Log in Windows. We don’t always see an outcome of or interruption of activities due to these errors, and many of them would seem arcane to even the most tech-savvy users. Event 10010 in system logs, for instance, is an application failing to register with DCOM; I’m personally not sure what that means, but I’ve read that it might mean bad news for people who play solitaire on their Windows desktops. The “event” part of SIEM is the kind of event reported by software when it completes a task, and not necessarily a large-scale event like a disaster of some kind.
All of the information about hardware and software successes and failures tends to live on the device, waiting for an engineer to take a look at the log when there’s a problem. When it comes to your network security, however, it’s far more advisable to “check the logs” in real time to know exactly when things are going sideways.
SIEM takes this type of log and allows for it to be centralized with the logs of other devices on the network and allows for it to be monitored in one place. This means that a) all devices in the scope are being monitored, and b) that the monitoring is able to correlate events on systems and events on networks with one another.
Core Elements: Analytics and Monitoring
Once the logs from software, hardware, network devices, cloud services, etc. are all brought together, patterns can be seen that show what security events may be correlated with one another. In SIEM, real-time analysis of the logs can spot problems as they happen and estimate how related the events are to one another. This is where AI and algorithms come in: using complex algorithms to help spot correlations and patterns as quickly as possible.
Since these are security events that are being analyzed, multiple issues happening simultaneously may be a single incident, so finding a pattern to the behavior will allow your response team to quickly mitigate any ongoing security incidents. Monitoring is typically done on a centralized, human-readable interface and through alerting systems (as in a security operations center).
More advanced solutions typically use a human-readable interface but augment the IT team’s resources with automatic remediation. Today, it’s certainly a best practice to have algorithms to accelerate the analysis of security information and events, but remediation isn’t necessarily best left to an algorithm, depending on the use case.
What’s In-Scope for SIEM?
Since every workstation, every mobile device, every appliance, and all of your network infrastructure create logs to store information about security-authentication information, most importantly-devices make up the typical scope of security monitoring. Since the devices are networked together, most SIEM solutions would require their own server that collects the logs, runs the analytics, and creates alerts for administrators. This server’s performance and resource requirements will depend on the size of the logs that it ingests, and its storage needs will also depend on how long the logs should be retained.
For organizations who do a lot of their work in the cloud-Microsoft 365 or Google workspace, specifically-SIEM providers are rolling out options to implement the same kind of logging in these cloud environments. The principle is the same, since (as is often said) the cloud is just someone else’s computer; cloud software services generate their own authentication and usage logs, and they can be analyzed just the same.
Native or Third-Party?
Both native and third-party solutions exist in this space. Deciding on a third-party or native solution often comes down to what kind of licensing and services you already have for the cloud services that you subscribe to. For example, Microsoft’s Sentinel is essentially a SIEM for their cloud services, but Microsoft 365 is only one of many Azure-branded environments that it’s intended for use with. Sentinel is intended for enterprise level companies who use a lot of Microsoft services that need monitoring.
Any third-party SIEM can be given access to relevant 365 and Microsoft Defender audit logs to make sure that your cloud files-SharePoint, OneDrive, and email-are a part of your security and network monitoring. If you have SIEM server to send logs to, you can also send the logs from 365 to monitor your cloud workspace.
Who Needs SIEM?
SIEM is becoming more common in the small- and medium-business space for two interlocking reasons: 1) it is becoming more cost-effective for smaller businesses to have SIEM capabilities, and 2) it’s more often becoming necessary for cyber-insurance and compliance reasons. As the tools become accessible, they’re also becoming expected by the insurers as a best practice in network security and finding their way into self-assessments and questionnaires. Regulations often require security event logging and may even have log retention requirements (such as, “you must keep all of these logs for one year.”)
Ultimately, adding SIEM to your security stack increases your organization’s ability to stop ongoing security incidents, in tandem with network security testing. When the right solution is in place, the time to respond and the time to mitigation of a breach on your network is greatly reduced, meaning you have a better likelihood of the incident causing less harm than it could otherwise-either reducing the time an intruder is in your network, or stopping bad things from happening as they start. For these reasons, SIEM should be a part of any best-in-class security offering.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team