Open in app

Sign in

Write

Sign in

SIEM Tool and Security

Rohit Dhore
5 min readDec 5, 2021

Security Information and Event Management (SIEM) solutions use rules and statistical correlations to turn log entries, and events from security systems, into actionable information. This information can help security teams detect threats in real time, manage incident response, perform forensic investigation on past security incidents, and prepare audits for compliance purposes.

The term SIEM was coined in 2005 by Mark Nicolett and Amrit Williams, in Gartner’s SIEM report, Improve IT Security with Vulnerability Management. They proposed a new security information system, on the basis of two previous generations.

  • Security Information Management (SIM) — a first generation, built on top of traditional log collection and management systems. SIM introduced long-term storage, analysis, and reporting on log data, and combined logs with threat intelligence.
  • Security Event Management (SEM) — a second generation, addressing security events — aggregation, correlation and notification for events from security systems such as antivirus, firewalls and Intrusion Detection Systems (IDS), as well as events reported directly by authentication, SNMP traps, servers, databases etc.

How does SIEM help us..?

Threat intelligence feeds

Combines internal data with threat intelligence feeds containing data on vulnerabilities, threat actors and attack patterns. Threat intelligence is gathered to help organizations understand emerging threats in the cybersecurity landscape, including zero-day threats, advanced persistent threats and exploits. Threat actors may also include internal and partner threats, but the emphasis is on outside sources that might cause the most damage to a particular organization’s environment.

Data aggregation

Aggregates data from network, security, servers, databases, applications, and other security systems like firewalls, anti virus and Intrusion Detection Systems (IDS)

Analytics

Uses statistical models and machine learning to identify deeper relationships between data elements, and anomalies compared to known trends, and tie them to security concerns

Correlation

Links events and related data into meaningful bundles which represent a real security incident, threat, vulnerability or forensic finding.

Dashboards and visualizations

Creates visualizations to allow staff to review event data, see patterns and identify activity that does not conform to standard patterns.

Threat hunting

Allows security staff to run queries on SIEM data, filter and pivot the data, to proactively uncover threats or vulnerabilities.

Retention

Stores long-term historical data to enable analysis, tracking, and data for compliance requirements. Especially important in forensic investigations, which happen after the fact.

SOC Automation

Integrates with other security solutions using APIs, and lets security staff define automated playbooks and workflows that should be executed in response to specific incidents.

How does SIEM work..?

In the past, SIEMs required meticulous management at every stage of the data pipeline — data ingestion, policies, reviewing alerts and analyzing anomalies. Increasingly, SIEMs are getting smarter at pulling data together, from ever more organizational sources, and using AI techniques to understand what type of behavior constitutes a security incident.

Data Collection

Most SIEM systems collect data by deploying collection agents on end-user devices, servers, network equipment, or other security systems like firewalls and antivirus, or via protocols syslog forwarding, SNMP or WMI. Advanced SIEMs can integrate with cloud services to obtain log data about cloud-deployed infrastructure or SaaS applications, and can easily ingest other non-standard data sources. Pre-processing may happen at edge collectors, with only some of the events and event data passed to centralized storage.

Data Consolidation and Correlation

The central purpose of a SIEM is to pull together all the data and allow correlation of logs and events across all organizational systems.

An error message on a server can be correlated with a connection blocked on a firewall, and a wrong password attempted on an enterprise portal. Multiple data points are combined into meaningful security events, and delivered to analysts by notifications or dashboards. Next-gen SIEMs are getting better and better at learning what is a “real” security event that warrants attention.

Policies and Rules

The SIEM allows security staff to define profiles, specifying how enterprise systems behave under normal conditions.

They can then set rules and thresholds to define what type of anomaly is considered a security incident. Increasingly, SIEMs leverage machine learning and automated behavioral profiling to automatically detect anomalies, and autonomously define rules on the data, to discover security events that require investigation.

Data Storage

Traditionally, SIEMs relied on storage deployed in the data center, which made it difficult to store and manage large data volumes.

As a result, only some log data was retained. Next-generation SIEMs are built on top of modern data lake technology such as Amazon S3 or Hadoop, allowing nearly unlimited scalability of storage at low cost. This makes it possible to retain and analyze 100% of log data across even more platforms and systems.

SIEM is commonly used for ?

Security Monitoring

SIEMs help with real-time monitoring of organizational systems for security incidents.

A SIEM has a unique perspective on security incidents, because it has access to multiple data sources — for example, it can combine alerts from an IDS with information from an antivirus product. It helps security teams identify security incidents that no individual security tool can see, and help them focus on alerts from security tools that have special significance.

Advanced Threat Detection

SIEMs can help detect, mitigate and prevent advanced threats, including:

  • Malicious insiders — a SIEM can use browser forensics, network data, authentication and other data to identify insiders planning or carrying out an attack
  • Data exfiltration (sensitive data illicitly transferred outside the organization) — a SIEM can pick up data transfers that are abnormal in their size, frequency or payload
  • Outside entities, including Advanced Persistent Threats (APTs) — a SIEM can detect early warning signals indicating that an outside entity is carrying out a focused attack or long-term campaign against the organization.

Forensics and Incident Response

SIEMs can help security analysts realize that a security incident is taking place, triage the event and define immediate steps for remediation.

Even if an incident is known to security staff, it takes time to collect data to fully understand the attack and stop it — SIEM can automatically collect this data and significantly reduce response time. When security staff discover a historic breach or security incident that needs to be investigated, SIEMs provide rich forensic data to help uncover the kill chain, threat actors and mitigation.

List of SIEM tools:

  • SolarWinds Security Event Manager
  • Paessler Security
  • Splunk Enterprise Security
  • IBM QRadar
  • AT&T Cybersecurity
  • Datadog Security Monitoring
  • LogRhythm NextGen SIEM Platform
  • Micro Focus ArcSight

~Thank you

Siem Tool And Security
Arth2
Righteducation
Vimal Daga
Right Mentor

--

--

Rohit Dhore

Written by Rohit Dhore

6 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams