SIEM: How It Works and Selection Tips

With one cyber-attack happening in Australia every eight minutes, there’s never been a more crucial time for organisational systems to adopt robust solutions for quickly identifying and responding to suspicious IT activity.

Attackers only need to find one security loophole in a network of security devices to be able to halt the operations of a business. Amid the large number of devices operating simultaneously, security teams can find it difficult to pinpoint a company’s vulnerable points based on just security data generated by these devices.

This is where security information and event management (SIEM) solutions come in.

 

What Is SIEM?

SIEM systems are a combination of two technologies:

1.     Security information management

Security information management collects data from log files, analyses them and generates a report to describe security events as well as internal and external threats.

2.     Security event management

Security event management refers to real-time system monitoring, which allows network administrators to receive notifications about important issues. Monitoring results also help establish the correlation between security events and provide incident response.

The people, technology and processes that deal with security events gathered from the SIEM log analysis make up the Security Operations Centre (SOC). Analysts belonging to SOC teams study SIEM alerts and determine whether they’re false alarms or issues that warrant closer monitoring or incident response.

Government agencies, financial services, payment card, healthcare, manufacturing and education are just some of the sectors that depend on security operations management.

 

How Does SIEM Work?

Security information and event management technologies go through the following process to detect and respond to security incidents:

1.     Policy creation

The SOC uses the SIEM to define the behaviour of systems under normal conditions as well as rules for simple to complex threat identification. These threats include failed login attempts, malware activity or privilege escalation (gaining access to the privilege of another user account or using access to perform malicious actions). Fine-tuning policies should be an ongoing task to enable relevant analysis, detection and response.

2.     Data aggregation

The SIEM will then collect data and logs across the business network and gather them into a single, centralised location. They can come from the following points:

  • User terminals
  • Databases
  • Applications
  • Anti-virus software
  • Firewalls
  • Servers
  • Domain controllers

3.     Data consolidation and correlation

After the SIEM collects data, it goes on to sort them into categories before analysing them against your defined rules (correlating) to spot possible threats.

It also tries to identify patterns to determine indications of security threats. If it detects a series of suspicious events, your security teams can probe further to take remedial action.

4.     Notification

The SIEM will send an alert to security analysts if it spots any deviation from defined rules or unusual activity. This alert generation feature can be typically integrated with messaging software and bug reporting systems.

 

What Are the Core Features of SIEM Technologies?

SIEM solutions have these common features that allow security operations teams to manage the overall security posture of a business:

·       Threat monitoring and threat detection

SIEM tools identify and quarantine potential threats through real-time monitoring, behaviour analytics and response sandboxing (or creating an isolated environment in the network to inspect untrusted code to prevent it from damaging host systems).

·       Threat intelligence

Threat intelligence is collecting and analysing data about past, current and potential threats to determine if they could impact the organisation. SIEM solutions help your information security team check for patterns that may compromise system security and gain early visibility for any new threats (threat hunting) or attacks.

In a 2020 study by S&P Global’s 451 Research, 98% of respondents consider the quality of SIEM alerts and reporting as well as the integration of threat intelligence as the most important attributes of SIEM vendors.

·       Forensics

Forensic investigations involve analysing historical data to trace the series of events leading to the data breach. These investigations enable SOC teams to find out when the initial attack occurred, what was taken or what part of the network was damaged, what the perpetrators did after getting inside the company’s network and if those responsible are still inside the organisational system.

·       Compliance reporting

SIEM software regularly and automatically archives log data for compliance reporting. Some examples of data protection regulations that your company or your industry should adhere to include: Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act of 2002, the Federal Information Security Management Act of 2002 and so on.

·       Dashboard

With a dashboard or a single pane, SIEM solutions make it easy for SOC teams to interact with data and track the activity of threat protection products. They can also identify parts of the network that need scanning to check their vulnerability.

 

Benefits of Using SIEM

Here are some benefits that SIEM technology can provide your company:

·       Efficiency

SIEM tools offer automated, 24/7, network-wide security monitoring. This gives your SOC team the visibility they need to efficiently report abnormal behaviour or quickly act on security incidents.

SIEM also normalises or reformats security data so that they can be read for incident analysis and response processes.

·       Threat mitigation

As SIEM tools can gather security data from all points connected to your network, they offer comprehensive security incident reports that can help your SOC team respond to threats more promptly.

Here are some of the common attacks or attack indicators that SIEM software that can help you detect:

  • Insider attacks

There are malicious and accidental insider threats and attacks. The accidental insider attack is due to unintentional errors such as a misconfigured firewall. Meanwhile, a malicious insider attack can come from disgruntled or opportunistic employees (or former employees) who use their access rights to sabotage or steal sensitive data.

  • Phishing

Phishers attach malware-infected files or links to emails to penetrate a network.

  • Brute force

Hackers can make hundreds of password attempts within minutes to force their way into your network. A SIEM can detect these repeated access attempts and lock the account if you haven’t set parameters that restrict the number of failed logins.

  • Denial-of-Service Attacks

Denial-of-service (DoS) attacks disrupt the standard operation of a network, usually by flooding the target system with traffic. In effect, DoS attacks block normal traffic and deny access to legitimate users. The abnormal event can cause services to slow down or totally crash the network.

  • Malware

Malware includes viruses, worms, trojans, ransomware and other software types that are designed to damage or, at least, disable computer systems. SIEM can step in if your anti-virus software is unable to remove the malicious program.

  • Advanced persistent threats

Intruders who launch advanced persistent threats carefully plan this sophisticated attack to establish an undetected and prolonged presence in a network from which they steal sensitive data.

Hackers target high-value organisations—large corporations and nation-states—and are experienced and well-funded as well.

  • Hijacking

Hijackers insert their IP addresses partway through an online session so that the server doesn’t recognise it’s no longer communicating with the client. Doing so allows the hijacker to either take over the users’ session or deny the users access to their own account.

  • Web application attacks

These kinds of attacks are in the form of SQL injections that find, delete, update or modify information in the web app.

·       Flexibility and scalability

SIEM solutions can grow as your company grows and as the modern threat landscape rapidly evolves. Visibility scales as your organisation generates more data, eliminating “dark spaces” where hackers can lurk. SIEM tools can also work in different environments—on-premise or in the cloud.

·       Cost-efficient

Enhanced threat detection and intelligence through AI and machine learning can unburden security teams from their previous manual tasks. In particular, SIEM can take care of what would have been the manual interpretation of security logs and data sources, such as threat intelligence feeds.

·       Improved compliance

Pre-set compliance reporting templates make it easier to conduct audits and prevent violations. SIEM automatically gathers compliance data and creates reports to meet industry standards.

 

How Do I Get Started with SIEM?

Now that you know what is SIEM and its benefits, you or your team should discuss the following questions before choosing a SIEM partner or solution:

1.     What do we want to get out of SIEM?

It’s best to meet your SOC team and set expectations about what your SIEM deployment should accomplish. What types of data do you want it to collect and monitor? Do you need it to detect threats in real-time? Or do you need it for regulatory compliance?

Your team should also determine the most critical threats to your network and the possible impact of a data breach.

Doing so will help you identify the scope that your chosen SIEM platform should cover, the log sources that should come under it, and how to respond when threats are detected.

2.     Who will manage the SIEM solution?

The SIEM software is supposed to be a tool that will strengthen your human IT security department. It’s not supposed to function on auto-pilot. You’ll need dedicated internal security personnel for your Security Operations Centre. They should get the proper security training from your SIEM partner in developing and successfully deploying the platform.

If you don’t have the people to support the SIEM, you should consider a managed security service provider to manage the software.

3.     To what extent can we customise the SIEM tool?

Your team should understand exactly what the platform can and can’t do, so they can fully maximise its features. But as a basic principle, choose a solution that offers the broadest possible access to the largest amount of data. It should also provide the most flexible methods to detect threats and investigate security alerts, allowing integration services if possible.

4.     How secure and timely is the platform’s automated response feature?

Find out from your SIEM vendor how effective the SIEM product is at blocking an attack before it can damage your network. Know whether communication between the SIEM and your network’s existing security controls has enough protection from alteration and eavesdropping.

Also, ask how long it will take for the solution to detect an attack and prompt the appropriate security controls to stop it.

5.     What compliance certifications does the SIEM vendor have?

Determine which compliance initiatives apply to your business and then ensure your SIEM product has either built-in or customisable features to generate reports to meet data security requirements.

6.     How much are we going to invest in the SIEM system?

The cost of the SIEM program will depend on the type you choose. Unmanaged SIEM has a lower price tag but will only give you technical log aggregation and generic alerting. Meanwhile, managed systems will come with a dedicated expert to support your team in monitoring, managing and fine-tuning the software.

 

Top SIEM Tools

Some of today’s leading SIEM solution providers and their tools include the following:

Splunk

This SIEM solution is considered the world leader in the SIEM space. Splunk supports security monitoring for systems running on Windows and Linux. With its log management and analysis features, this SIEM tool can provide advanced threat detection capabilities. Splunk is also known for its strong personally identifiable information protection and obfuscation or encryption of event payloads, making data invisible to non-authorised users.

It’s available as a locally installed program, a cloud service and a software-as-a-service (SaaS) if you don’t want to run Splunk yourself.

IBM QRadar

IBM QRadar offers advanced threat detection and helps you prioritise security alerts through vulnerability management and threat intelligence. Moreover, its risk management solution supports integration with IDS/IPS, antivirus programs and access control systems.

Organisations can deploy this SIEM tool as a hardware, a SaaS or virtual appliance.

LogRhythm

While recommended for smaller organisations, LogRhythm is no push-over, as its architecture can support up to 300,000 messages per second. It can run on Windows and Linux OS and has flexible data storage options.

It comes with DetectX, which has content and security analytics visualisations that help detect suspicious activity. Its AnalytiX centralises and normalises log data, while its RespondX helps your SOC team collaborate and manage any security incident swiftly and synergistically.

Insight IDR by Rapid7

Rapid7’s Insight IDR platform is a cloud-based solution that’s popular for its advanced threat detection and incident response feature. It hunts for threats and gathers security information from users, endpoints and events for forensic investigation. Besides conducting file integrity monitoring, the software’s machine learning capability can block anomalous threats.

Rapid7 can also create a visual timeline for investigation and perform entity behavioural analytics and attacker behaviour analytics.

SNYPR by Securonix

Securonix’s SNYPR, a scalable, machine learning based SIEM solution, can handle up to one million security events per second. Its entity context enrichment and library of threat signatures allow the software to distinguish normal variation from suspicious events. SNYPR also assigns threat risk values to identify areas that need the most monitoring, escalation or remedial action.

This relatively new security information system runs on the open-source Apache Hadoop for big data.

EventTracker by Netsurion

Netsurion’s EventTracker profiles behaviour to find new and previous threats. Its indexing model and rule-based alerts help SOC teams quickly activate incident response.

EventTracker also helps users automate the steps to ensure compliance with the requirements of each data security standard. The solution has more than 2,200 pre-defined and audit-ready security and compliance reports.

 

How Do I Get the Most Value from SIEM?

To maximise the value of your SIEM, remember these best practices:

1.     Set clear goals

After establishing what you want your SIEM to do for you, do your homework. Ensure you pick the product that will achieve what you set out to do.

2.     Don’t install and forget

Your SIEM requires continuous review and adjustments based on your IT environment.

3.     Establish and closely monitor procedures

Define the criteria for generating alerts to prevent your team from being overwhelmed by false alerts. Keep tweaking as needed, so your security teams can focus on real threats.

4.     Do a pilot run

Conduct penetration testing on a smaller segment of your network instead of your entire organisational IT infrastructure. Collect as much data to pinpoint weaknesses in compliance or security controls that need to be resolved.

5.     Update the system continuously

Be a step ahead of cybercriminals by continuously reviewing and refining your procedures and policies based on security incidents that crop up.

Cofence
Cisco
mimecast
IBM
Logpoint
Qualys
cyberfish
ExtraHop
netskope
SentinelOne
Rapid7
zscaler
fortinet
thycotic
Crowdstrike
Securonix logo
ThreatX logo