Network security

Introduction to SIEM (security information and event management)

Nitesh Malviya
May 27, 2021 by
Nitesh Malviya

Security information and event management (SIEM) is a software system that collects and aggregates data and events from various networking devices and resources across IT infrastructure. At present, the SIEM market value is around $4.2 billion and is expected to grow to $5.5 billion by 2025.

The term SIEM was first used in 2005 by Mark Nicolett and Amrit Williams. SIEM as a concept was proposed by them by combining the concept of security information management (SIM) and security event management (SEM).

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

How SIEM works

A typical SIEM collects and aggregates security data from various networking  devices, servers, computers and domain controllers present within the ecosystem. The collected data is stored, aggregated and normalized on which the analytics are applied to detect threats, raise alerts and enable organizations to take suitable steps based on the alert raised.

Thus, SIEM plays a vital role and is an important part of the data security ecosystem since it detects abnormal behavior and traffic flowing in and out of the network. On the flip side, SIEM tools can be resource-consuming, expensive to implement and it is often difficult to remediate problems reported by SIEM.

SIEM use

Following are the main capabilities found in an SIEM:

  1. Threat detection
  2. Investigation
  3. Time to respond

Apart from the above features, other additional features which an SIEM provides are:

  1. Basic security monitoring
  2. Advanced threat detection
  3. Log collection
  4. Forensics and incident response
  5. Incident detection
  6. Notifications and alerts
  7. Threat response workflow

Top SIEM vendors 

Following are the top SIEM available in the market widely used at the corporate level:

  1. Splunk
  2. IBM Qradar
  3. LogRhythm
  4. SolarWinds Security Event Manager
  5. Alienvault
  6. ArcSight
  7. Datadog
  8. McAfee ESM
  9. Securonix
  10. RSA Netwitness

9 SIEM best practices 

Following are the best practices for SIEM implementation: 

  1. Requirement: define monitoring and reporting requirements before deployment.
  2. Implementation: determine and define the system’s scopes, infrastructure audit targets and verbosity.
  3. Access control: monitor and log access to critical resources and check whether it's legitimate or not.
  4. Perimeter defenses: monitor, log and respond to threats, violations and activity and attacks on perimeter defenses.
  5. Resource integrity: monitor, log and respond to threats, backup processes, violations and vulnerabilities and attacks on network system resources integrity and availability.
  6. Intrusion detection: monitor, log and respond to incidents related to intrusion detection and system threats.
  7. Malware defense: monitor, log and respond to threats, violations and activities on malware controls.
  8. Application defenses: monitor, log and respond to threats, violations and activity about the web, database and more.
  9. Acceptable use: monitor and report on the key status and issues violations activity regarding the acceptable use of resources and information.

Next-generation SIEM 

Next-generation SIEMs engulf automated incident response technology and are much more advanced and more refined than the formal ones. Next-generation SIEMs integrate with IT and other security tools/hardware and provide full security orchestration and automation (SOAR) capabilities.

Examples include:

  1. Authentication and access management: automatically disable user accounts and reset passwords on active directory
  2. Cloud infrastructure: disable accounts and stop or destroy instances on AWS/Microsoft Azure
  3. Email security: delete or quarantine emails, sending email on SMTP email servers and Microsoft Exchange
  4. Endpoint security: isolate devices from the network and delete and list files or active processes on Linux/Windows/Mac
  5. Firewalls: block or unblock IPs and domains on firewalls
  6. Forensics: automatically running virus scans, scanning files and quarantine suspected malware in sandboxes.
  7. Information technology service management (ITSM): create tickets, change ticket status, add comments to tickets, reassign tickets and close incidents on the ITSM system

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Trends in SIEM 

Following are the top trends impacting the SIEM market:  

  1. The sophistication of cyberattacks and their exponential rise
  2. Strict security compliances and regulations imposed by governments
  3. Cloud-based services adoption among SMEs

Sources

SIEM architecture: technology, process and data, Exabeam

What is SIEM? A beginner’s guide, Varonis 

Security information and event management market, Market and Markets

Nitesh Malviya
Nitesh Malviya

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog - https://nitmalviya03.wordpress.com/ and Linkedin - https://www.linkedin.com/in/nitmalviya03/.