5 minute read

Security information and event management (SIEM) is a subsection within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes.

The acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:

  • Log management: Focus on simple collection and storage of log messages and audit trails
  • Security information management (SIM): Long-term storage as well as analysis and reporting of log data.
  • Security event manager (SEM): Real-time monitoring, correlation of events, notifications and console views.
  • Security information and event management (SIEM): Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.
  • Managed Security Service: (MSS) or Managed Security Service Provider: (MSSP): The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.
  • Security as a service (SECaaS): These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.

In practice many products in this area will have a mix of these functions, so there will often be some overlap – and many commercial vendors also promote their own terminology.

Oftentimes commercial vendors provide different combinations of these functionalities which tend to improve SIEM overall. Log management alone doesn’t provide real-time insights on network security, SEM on its own won’t provide complete data for deep threat analysis. When SEM and log management are combined, more information is available for SIEM to monitor.

A key focus is to monitor and help manage user and service privileges, directory services and other system-configuration changes; as well as providing log auditing and review and incident response.

Capabilities/components

  • Data aggregation: Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
  • Correlation: Looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution
  • Alerting: The automated analysis of correlated events Dashboards: Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
  • Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
  • Retention: Employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.
  • Forensic analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.

Correlation rules examples.

SIEM systems can have hundreds and thousands of correlation rules. Some of these are simple, and some are more complex. Once a correlation rule is triggered the system can take appropriate steps to mitigate from a cyber attack.

Usually, this includes sending a notification to a user and then possibly limiting or even shutting down the system.

Brute Force Detection

Brute force detection is relatively straight forward. Brute forcing relates to continually trying to guess a variable. It most commonly refers to someone trying to constantly guess your password - either manually or with a tool. However, it can refer to trying to guess URLs or important file locations on your system.

An automated brute force is easy to detect as someone trying to enter their password 60 times in a minute is impossible.

Impossible Travel

When a user logs in to a system, generally speaking, it creates a timestamp of the event. Alongside the time, the system may often record other useful information such as the device used, GPS address, IP address, incorrect login attempts, etc. The more data is collected the more use can be gathered from it. For impossible travel, the system looks at the current and last login date/time and the difference between the recorded distances. If it deems it’s not possible for this to happen, for example traveling hundreds of miles within a minute, then it will set off a warning.

Unfortunately, many employees and users are now using VPN services, therefore this should be taken into consideration when setting up such a rule.

Excessive File Copying

If you think about your day-to-day activities, you most likely don’t copy or move around a lot of files on your system. Therefore any excessive file copying on a system can be attributed to some wanting to cause harm to your company. Unfortunately, it’s not as simple as stating someone has gained access to your network illegally and they want to steal confidential information. It could also be an employee looking to sell company information, or they could just want to take home some files for the weekend.

DDoS Attack

A DDoS (Distributed Denial of Service) Attack would cause an issue for pretty much any company. A DDoS attack can not only take your web properties offline, it can also make your system weaker. With suitable correlation rules in place, your SIEM should trigger an alert right at the start of the attack so that you can take the necessary precautionary measures to protect your systems.

File Integrity Change

File Integrity and Change Monitoring (FIM) is the process of monitoring the files on your system. Unexpected changes in your system files will trigger an alert as it’s a likely indication of a cyber attack.