Americas

  • United States

Asia

Oceania

What is SIEM? How to choose the right one for your business

Feature
Mar 13, 202412 mins
Network SecuritySecuritySecurity Information and Event Management Software

Security information and event management software collects information to help identify and track cyber breaches. Here’s how to select the best SIEM product based on your company’s needs.

abstract circuitry with padlock for security
Credit: Thinkstock

Security information and event management (SIEM) software uses log and event data to help track and identify breaches. Parsing event logs and monitoring security events isn’t the sexiest job in the information security world but in an industry increasingly driven by automation and AI, deep contextual data is a foundational component in a modern security stack.

A well-deployed SIEM system not only captures system events into a single searchable system, but adds value by categorizing, prioritizing, and correlating events to streamline the analysis process and float critical events to the top for instantaneous visibility and response. This visibility can be further enhanced in a mature SIEM into automatic alerts sent to response teams or even automated actions to be taken as an initial response.

How does SIEM work?

Most modern computing systems (network devices, operating systems, applications, containers, cloud services, etc.) feature event logs that contain information with varying levels of criticality. These event logs are useful for monitoring security, application performance, or even just troubleshooting a misbehaving system.

These event logs and other system data need to be exported from systems into the SIEM platform. This can be achieved by SIEM agents — programs running on various systems that analyze and export the data into the SIEM; alternately many SIEM systems offer plugins to enable direct integration with common solutions or standards-based methods to gather these logs.

Which option you take will depend on your network topography and bandwidth capabilities, as well as the types of systems you need to get logs from. The amount of data transmitted and processing power necessary at the end points can degrade the performance of your systems or network if you don’t implement things carefully; SIEM agents at the edge can relieve some of that burden by automatically parsing out some data before even sending it over the network. At any rate, you’ll want to ensure that your entire infrastructure is instrumented for SIEM, both on-prem and in the cloud.

Obviously, the amount of data generated by this SIEM instrumentation is huge, more than your staff could possibly parse through. The primary value delivered by SIEM suites is that they apply data analysis to make sure that only useful information gets delivered to your security operations center. These platforms use correlation engines to attempt to connect disparate log entries or other signals that don’t seem worrisome on their own but taken together can spell trouble. These engines, combined with the specific artificial intelligence and machine learning techniques used to sniff out attacks, are what various SIEM vendors use to differentiate their offerings from one another.

SIEM tools also draw information from threat intelligence feeds — updated feeds of data about new forms of malware and the latest advanced persistent threats. These threat intelligence feeds can enable the SIEM to identify known patterns that indicate malicious behavior. Some of these feeds are maintained by the SIEM vendors, but others are open source or internally maintained by security teams at large organizations, and some SIEM platforms allow you to use your favorites. Other customization options include the ability to tightly integrate your SIEM platform with specific security tools.

Many businesses initially embraced SIEM for its ability to aid regulatory compliance; that’s still an important role for these tools, and many platforms have built-in capabilities that are focused on ensuring and documenting your compliance with various laws and standards. And finally, some SIEM platforms also incorporate SOAR capabilities, which can partially or fully automate responses to the threats they detect.

Selecting the right SIEM for your business

Selecting the right SIEM product will not only aid in monitoring business-critical systems and services, but also to inform authentication systems, aid threat detection, and provide context to SOAR (security orchestration, automation, and response) platforms.

Cloud or on-prem?

Most of the modern SIEM solutions have moved to a SaaS model to iterate and add features more quickly. The endless capacity of the cloud also makes it easier for vendors to integrate machine learning capabilities, which require large quantities of reference data before they can identify anomalous behavior. The consensus is that SaaS has made SIEM better.

Nonetheless, some businesses need to keep SIEM on premises, typically because they need to abide by regulations that stipulate log or related data reside on local infrastructure. A handful of options still enable customers to deploy SIEM entirely on prem, including some solid open-source solutions.

Analytics capabilities

An SIEM solution is only as good as the information you can get out of it. Gathering all the log and event data from your infrastructure has no value unless it can help you identify problems and make educated decisions. Today, in most cases, the analytics capabilities of SIEM systems include machine learning to help identify anomalous behavior in real time and provide a more accurate early warning system that prompts you to take a closer look at potential attacks or even new application or network errors.

Your SIEM analytics needs will depend on a variety of factors. What sort of systems are you monitoring? What skill sets do you have available to build dashboards and reports or to perform investigations? Do you have an existing investment in an analytics platform that you want to leverage? Each of these questions can help narrow down your platform options.

If you have no existing solutions or skills in place to drive the decision, your best bet may be to pursue SIEM solutions with an extensive dashboard library or managed services to help you build what’s best for you.

Log ingestion

Another practical consideration involves ingestion, or how your data is consumed by your SIEM. Often software agents extract log and event data from servers and workstations while network hardware and cloud applications may send event data directly to the SIEM through an integration or an API.

One basic issue is whether the SIEM can properly identify key information from your events outside of the gate. Ideally, your SIEM should be mature enough to provide a high level of fidelity when parsing event data from most common systems without requiring customization, separating out key details from events such as dates, event levels, and affected systems or users. You should also look for an SIEM that provides flexibility in tuning the way event data is processed after it has been captured, so you can remedy situations in which your log entries aren’t being parsed properly.

Configuring alerts

The primary reason to have a modern SIEM is for sophisticated real-time monitoring of your systems. But that has little value unless a human is monitoring the system for alerts or notifications (in the form of emails, text messages, or push notifications to mobile devices).

The problem with alerts and notifications, as any email user knows, is keeping the volume manageable. If users receive too many notifications, they will either disable them or ignore them. If too few, then critical threats may be missed. Look for flexibility in configuring alerts, including rules, thresholds (i.e., system was down for 15 minutes, 20 errors per minute for 10 minutes, etc.) and alert methods (SMS, email, push notifications, and webhooks).

Role-based access

For large enterprises with diverse business segments, multiple application teams, or dispersed geographic locations, role-based access is imperative. Providing admins, developers, and analysts access to just the log events they need is not only a matter of convenience, but also requisite to the principle of least privilege and, in some industries, certain regulatory mandates.

The events captured by an SIEM often provide a deep level of detail on application and service functionality or even how devices on your network are configured. Gaining illicit access to this event data can benefit malicious actors looking to infiltrate your systems, the same way thieves benefit from casing target before a heist. Limiting user access to SIEM event data is a best practice for one reason: it limits the impact of a compromised account and ultimately helps protect your network as a whole.

Regulatory compliance

Many industry regulations — such as HIPAA or Department of Defense STIGs (Security Technical Implementation Guides), to name just two — not only require the use of an SIEM or a similar utility, but also specify how the solution should be configured. Study the relevant requirements for your organization in detail. Things to look for include retention periods, encryption requirements (for both data in transit and data at rest), digital signatures (to ensure event data is not modified in any way) and reporting obligations. Also keep in mind that most compliance regimens include an audit or reporting element, so make sure your SIEM solution can spit out the appropriate documentation or reports to satisfy auditors.

Event correlation

Perhaps the biggest reason to implement SIEM is the ability to correlate logs from disparate (and/or integrated) systems into a single view. For example, a single application on your network could be made up of various components such as a database, an application server, and the application itself. The SIEM should be able to consume log events from each of these components, even if they are distributed across multiple hosts, and correlate those events into a single stream. This enables you to see how events within one component lead to events within another component.

The same principle applies to an enterprise network. In many cases, correlated event logs can be employed to identify suspicious privilege escalation or to track an attack as it impacts various segments of the network. This broad view has become increasingly relevant as organizations move to the cloud or implement container-based infrastructure such as Kubernetes.

SIEM ecosystems

SIEM depends on connecting with other systems from a variety of vendors. Of course, there are data exchange standards from text-based log files to protocols such as SNMP (simple network monitoring protocol) or Syslog. If the SIEM can integrate directly (or through plugins) with other systems, that makes things much easier. A SIEM with a robust, mature ecosystem enables you to enhance such features as event collection, analysis, alerting, and automation.

In addition to the system enhancements to be had through an SIEM ecosystem, there are other business benefits to be considered. For example, a mature SIEM will often create demand for training, drive community-based support, and even help streamline the hiring process.

Interaction via API

An ecosystem offering extensibility is great, but it will not meet all the diverse needs of every business. If your business involves software development, and particularly if your company has invested time and effort in DevOps, the ability to interact with your SIEM programmatically can make a huge difference. Rather than spending development time on logging capability for the sake of security or debugging, the SIEM can ingest, correlate, and analyze event data from your custom code.

Do I need AI-enhanced SIEM?

SIEM would seem like a tailor-built use case for AI-backed analysis, and vendors aren’t shy about implementing AI-based features. Generally, these features are centered around analysis and alerting, but this means so much more than reports. AI-enabled SIEM systems can integrate with immense cloud data feeds from a variety of vendors and sources, knowledge which can be leveraged to build deep context into your event data without lifting a finger. This context is essential to triaging events, identifying attack chains, and putting together a plan for incident response. Do keep in mind that the AI question may be tied to the cloud or on-prem question. On-prem offerings have the potential to support your needs with AI but may require those workloads be farmed out to cloud services.

How much to pay for SIEM

SIEM is not an area you want to overly-tighten your purse strings. Cost is a factor in your SIEM decision, of course, but calculating it involves nuance. You also don’t want to be caught in a situation where you cut corners to save money on your SIEM only to end up as the victim of an attack that could’ve been prevented. SIEM platforms offered as a cloud service are almost always offered by subscription. But your bill may include usage charges, such as event data volume or the number of endpoints being monitored. There are well-respected SIEM platforms available for free under an open-source license, but be aware of hidden costs such as support, and make sure the solution meets all of your business needs. The bottom line: Once you’ve narrowed down your SIEM candidates to those that have the features you need, compare in detail the subscription and usage charges you’re likely to incur. If you prefer a more expensive offering, consider how you might be able to gain efficiency or scale back a little.