What is SIEM?
Coined by Gartner’s Mark Nicolett and Amrit Williams in 2005, the acronym SIEM stands for security information and event management. At its core, it’s a combination of SIM (security information management), which refers to the long-term storage, analytics and reporting of log data, and SEM (security event management), which refers to real-time monitoring and the correlation of events, notifications and console views.
SIEM, in simple terms, is a reliable way to get a comprehensive and big picture view of all the security alerts generated by an organisation’s network of hardware and software.
By implementing a SIEM platform, an organisation is able to aggregate and analyse activity from various sources across its infrastructure – including network devices, servers and domain controllers. This analysis renders it capable of discovering trends, detecting threats and enabling organisations to investigate and respond appropriately to these alerts in a timely manner.
It is equally useful for big corporations and small businesses that may have a network of only a handful of devices. Hand in hand with a team of digital forensics experts, SIEM issues the alerts and the digital analysts monitor the results and respond appropriately.
Implementation and SIEM best practice
For a small company with, perhaps, 10 systems, a SIEM platform like Splunk can be installed by one person within a week. Larger companies are more likely to engage professional SIEM architects to design, deploy and implement the SIEM, based on their unique and particular business requirements. Companies large and small are now starting to consume SIEM in a SaaS (Software as a Service) model. The advantages are that this removes the necessity of dealing with the deployment, infrastructure and hardware management side of the system
Once the SIEM system is up and running, it becomes fully automated. The alerts are generated automatically and a dashboard provides visibility of what is happening, with continual monitoring and regular reporting – monthly, weekly or to suit company preference.
Use cases of SIEM
One of the most prevalent issues SIEM is being used to counteract is the rise of ransomware.
Over the past few years these attacks have been a huge problem for organisations – forced to pay large amounts to recover sensitive encrypted data. Cyber criminals have their victims over a barrel, as the potential loss of reputation is just as damaging as the loss of business and profits. US credit reporting agency Equifax learned this the hard way in 2017 when it neglected to patch its systems for months despite recommendations from multiple sources in its security teams.
The almost inevitable breach resulted in the exfiltration of hundreds of millions of customer records, a company payout of US$500 million and a shattered reputation.
Other threats that can be identified by SIEM include insider threats originating from trusted entities, with sub categories such as ‘highly privileged access abuse’ and ‘trusted host and entity compromise’.
SIEM can also use rich data analysis to conduct threat hunting, using a range of methods from security system alerts to checks on similar incidents or tips from peers or the media.
The only limit to its threat detection capability is the data that is fed into the SIEM. With the right event logs, it is possible to track how and where a threat actor first gained a foothold, before establishing a beachhead in the network. SIEM can then be used to follow the threat actor as they move through the network, and pass from one system to another, tracking what is being accessed, tampered with or exfiltrated.
It is possible to do this after the compromise, even if the system has been wiped out, because the necessary logs are all stored safely in the SIEM platform.
At each step, an alert and alert action can be created, based on known actor vectors – cutting off a successful attack before any lasting damage is caused.
Benefits
Clearly one of the biggest risks and therefore benefits for organisations implementing a SIEM platform is the financial one. But that’s not all. There are compliance factors at play too. By law many large companies need to comply with operating standards imposed by their location, and hefty fines can be levied if they don’t. Incident response is certainly more difficult without SIEM. But where it really makes its mark is that wider lens view.
If someone in digital operations sees an alert in a certain area of the network or infrastructure, they may not pay much attention to it.
If a whole range of alerts are generated at the same time, however, coming from different places but correlating, that operator will sit up and take notice. It then becomes possible to gain a clearer understanding of what’s happening across the entire network.
Best of all is SIEM’s ability to remove the ‘noise’ that can distract from security incidents as they arise. The way this works is that once a SIEM platform is implemented and security event alerts begin to be generated, this creates a lot of noise. As time progresses and the platform begins to grow, it’s necessary to facilitate its evolution by removing these pieces of noise. Perhaps an application has been misconfigured, leading to multiple alerts. But once the misconfiguration is identified, it can be fixed and the noise is reduced. Other problematic areas can be identified in the same manner, leading to a continual process of streamlining and reducing the noise. Then, when something important does arise, such as a major security breach, there is greater visibility. The problem can be seen, identified and addressed straightaway.