Hello everyone !! This is a brief blog about my understanding of what Security and Event Management (SIEM) and SIEM Tools are.
From a high-level perspective, we can assume SIEM Tools as software that gets in tons of log data from various Network Devices like Servers, Intrusion Detection/Prevention Systems, Firewalls, Domain Controllers, Endpoints and process them in such a way that we can easily analyze the provided information to gain insights particularly security-related events in real-time.
How did it evolve?
LMS + SIM + SEM = SIEM
SIM - Security Information Management
SIM is a first-generation system that provides historical analysis and reporting for security event data. This requires event and data collection/correlation (but not in real-time), an indexed repository for log data and flexible query and reporting capabilities.
SEM - Security Event Management
SEM is a second-generation system that provides real-time monitoring and event management to support IT security operations. SEM requires several capabilities: event and data collection, aggregation and correlation in near real-time; a dynamic monitoring/security event console for viewing and managing events; and automated response generation for security events.
LMS - Log Management System
A system that processes for simple collection and centralized storage of logs.
Below are the sources that I referred to learn more about SEM and SIM.
Working of a SIEM
Below is the depiction of how a SIEM works.
- SIEM Tools collect and store huge amounts of data from various Network Devices.
- After storing the data, they consolidate and categorize them based on the activity
- Then filters it through the policies and rules that are designed by the administrator and finally provides us with the report in the form of alerts, dashboards, etc.,
- The entire process is taken care of SIEM components.
But as the world grows every day, the current generation SIEM is not able to withstand the amount of complex data. So, the Next-gen SIEM Tools come in place. What’s the difference between the Current-gen and the Next-gen SIEM Tools?
- Open and scalable architecture
- Real-time visualization tools
- Big data architecture
- User and entity behaviour analytics (UEBA)
- Security, orchestration, and automation response (SOAR)
- Network Traffic Analysis (NTA)
Out of these, the most notable features are UEBA and SOAR
User and entity behaviour analytics (UEBA) - Solution for monitoring behavioural changes in user data to detect anomalous instances when there are deviations from “normal” patterns. It enables a deep understanding of threats such as social engineering and account compromise, which helps security analysts visualize threats and understand their context.
Security, orchestration, and automation response (SOAR) - Technology that automates routine, manual analyst actions to increase operational efficiency throughout the incident response workflow.
Use cases of SIEM
Following are some of the use cases,
- Performs basic security monitoring
- Helps organizations to comply with different regulations such as PCI, HIPAA, GDPR.
- With the help of UEBA, SIEM tools look for possible Insider Threats
- Discovers compromised accounts by looking for Malware communications
- Helps in Threat Hunting by providing data and context of suspected incidents
- Detects Data Exfiltration by analyzing large data transfers, data transferring to an unknown user.
- Zero-Day Threat Detection with the help of Behaviour Analysis
- Helps to map operations with existing Frameworks
Top SIEM Solutions
If you want to know SIEM in-depth, below is the curated list of sources (including those mentioned above). Hope this helps you.