Who, What, Why, When & Where?
If you are reviewing your cyber security strategy, you probably already have a good awareness of the tools, vendors, and not to mention the multitude of acronyms within the industry.
One tool, that has been around for a while, albeit in various guises is SIEM. Here in our latest blog post we explain what SIEM is, and explore its role within a robust cyber security strategy.
If you need help with cyber security acronyms, we’ve got a blog post for that too.
- What is SIEM?
- What is the purpose of SIEM?
- Where does SIEM gather data from?
- Who uses SIEM?
- What does SIEM provide?
- What are the critical capabilities of SIEM?
- What are the benefits of SIEM?
- What are SIEM tools?
- How do SIEM platforms work?
- Things to consider when choosing a SIEM platform
- How do you choose the right SIEM for your organisation?
- Which SIEM platforms do Infosec Partners recommend?
What is SIEM?
SIEM (Security Information and Event Management) is a software solution that collects, consolidates and analyses data from a variety of sources across your IT infrastructure into a centralised platform, providing a clear view of events and threats.
What is the purpose of SIEM?
SIEM collects, normalises, aggregates, and analyses data in order to spot trends, detect cyber threats, and help organisations investigate security alerts.
Where does SIEM gather data from?
SIEM gathers security data from a variety of sources, including network devices, servers, applications and domain controllers.
Who uses SIEM?
Whilst a SIEM solution detects cyber incidents, cyber expertise is required to investigate and respond. SIEM is key to an organisation’s threat detection and incident response team, which is often part of a bigger Security Operations Center (SOC).
What does SIEM provide?
In summary, SIEM provides two primary capabilities to an Incident Response team:
- Reporting and forensics about security incidents
- Alerts based on analytics that match a certain rule set, indicating a security issue
What are the critical capabilities of SIEM?
Technology research company Gartner identifies three critical capabilities for SIEM; threat detection, investigation and time to respond.
There are other features and functionality that you commonly see in the SIEM market, including:
- Basic security monitoring
- Advanced threat detection
- Forensics & incident response
- Log collection
- Notifications and alerts
- Security incident detection
- Threat response workflow
What are the benefits of SIEM?
SIEM improves productivity and efficiency through the automation of threat detection and incident response. It provides security experts with the ability to rapidly detect, prioritise, and react quickly to aggressive cyber threats hitting your organisation.
What are SIEM tools?
There are many SIEM solutions available today. They each differ slightly with regards to the monitoring capacity and the type of log sources that are supported.
There are two key types available:
- On-premise: This traditional option usually requires machines on location that need to be deployed and maintained.
- Cloud based: This type of SIEM does not require on-premise hardware as it is deployed in the cloud. Cloud-based SIEM is becoming increasingly popular, and more businesses are looking to move their SIEM solution to the cloud.
How do SIEM platforms work?
The SIEM collects and analyses log data to detect suspicious activity, the process works in
the following steps:
- Collects the data: SIEM tools start by collecting and aggregating log data from your network, including security devices, systems, and applications.
- Consolidates and categorises: the system consolidates the logs into categories, separates successful and failed logins, malware activity, exploit attempts, and port scans.
- Analyses: the categorised events are contrasted against preset correlation rules to check for suspicious activity.
- Alerts: If there is a discrepancy, the system sends an alert warning of a potential security threat. SIEM can identify threats by comparing multiple events, which wouldn’t trigger a security alert if considered by themselves.
Things to consider when choosing a SIEM platform
SIEM platforms differ in terms of features, it’s important to evaluate your own environment and requirements to identify what your priorities are:
- Ease of deployment and management: consider whether you want an installed SIEM or a cloud based solution, and also if you have the skills and resources inhouse to deploy and manage.
- Fit your company’s infrastructure: the ability of the SIEM tool to stream and process data from a variety of sources across your organisation is important. The incoming data could come from sources such as devices, firewalls, routers, or anti-virus software, so your SIEM solution must be able to integrate with and support the data sources you currently have and may also have in the future..
- Budget: Pricing models will differ for each SIEM solution. Cloud based solutions typically work on licensing and/or subscription models, whereas an on-premise installation will be subject to higher upfront costs.
- Data storage: data takes up a lot of space, a good SIEM solution should enable you to configure what data you need to store and for how long.
- Ability to configure rules: The detection rules in the SIEM need to be configured to meet your company’s security needs so it is essential that you are able to custom configure rules.
- Threat intelligence and analytics capabilities: capabilities will differ across solutions. More advanced solutions will utilise Artificial Intelligence and Machine Learning to provide more intuitive intelligence, freeing up time so that analysts can respond to the highest threats.
- Reporting: whilst all SIEM platforms generally provide standard automated reporting, you may require the ability to create custom reports.
- Scalability: SIEM solutions should also be able to scale with an organisation in every way. From extra data storage to further integration with additional devices and applications, a solution should be able to grow with your organisation.
How do you choose the right SIEM for your organisation?
This is a nuanced question. Fundamentally, a SIEM platform works well for an organisation if:
- It can natively understand (parse) the logs for all devices, services and applications of importance to that organisation, and
- It can be easily deployed, and comes with some useful alerts ‘out of the box’ to add value immediately – prior to more advanced tuning. There are, of course, many other factors. Examples include cost, security (of the platform itself), training of the organisation’s analysts, service desk integration and more. Crucially however, with an MSSP doing the heavy lifting, most SIEM platforms can do 1 & 2 easily from the client’s perspective, with MSSP technicians such as our very own creating custom parsers and generating client-specific alerts and reports.
Which SIEM platforms do Infosec Partners recommend?
We’re happy to have a conversation about supporting any. But we have three in our product portfolio and will generally recommend one of the following to clients:
Exceptional SOC and NOC functionality in a single package, and the obvious choice for mostly Fortinet environments – though very capable in hybrid / other vendor environments too. We offer multiple deployment options; client hosted, MSSP multi-tenanted or as a standalone single tenant in our private cloud. Unparalleled native threat intelligence.
- Microsoft Azure Sentinel
As one would expect, natively parses and alerts for Microsoft’s huge portfolio of technologies seamlessly. Excellent for organisations who heavily consume Azure and O365 services and wish to detect anomalies in their user base. A growing library of connectors to integrate non-Microsoft products.
- Rapid7 IDR
As the name suggests, very quick to spin up and begin integrating devices and applications. Excellent and very readable alerts and reports ‘out of the box’. Slick user interface which requires very little training for analysts to understand.
Are you interested in improving your protection against cyber security breaches?
Our Managed Security Information & Event Management (SIEM) Service combines a managed SIEM solution with expert analyst intelligence, providing multi-layered threat protection 24/7 and 365 days a year. Take a look at what we offer, or get in touch for more information.