ContactSupportBlogPartner Portal

SIEM, Simplified

November 18, 2018

Do you need better insight into the overall state of your network security? Take a step back and look through the larger lens of the SIEM solution. Security information and event management (SIEM) is an approach to security management that combines two aspects:

  • Security Event Management (SEM) - deals with real-time monitoring and correlation of events, as well as the notifications and console views
  • Security Information Management (SIM) - provides long-term storage, manipulation, and report generation of all security records gathered by the SEM software

Coined in 2005 by Amrit Williams and Mark Nicolett of Gartner, the term SIEM now serves as a  synonym for the gathering, analyzing, and presenting network and security information as well as external threat data and vulnerability management. It is used as a policy compliance tool and a centralized log collector for logs from systems, applications, and databases.

However, SIEM is not a detection mechanism or a security control on its own--it is more of a toolbox where all other security technologies you use will become more effective. You have full insight into the information required to make informed and well-reasoned investigations into network activities, which allows you to determine impact on your environment’s overall security.

What Should a SIEM Solution Include?

The answer to this question is rather straightforward: every SIEM solution should have a clear and a straightforward way to present gathered data and make your life (and the lives of your security analysts) that much simpler. SIEMs should do the following:

  • Correlate security events. It will link events based on common attributes and present that set of information as a bundle. This functionality is one of the most important features of SIEM, since security breach attempts are usually characterized by repetitive actions.
  • Store accumulated data. Having access to long-term data is crucial in forensic security breach investigations. Catching someone in the act just as they try to make an attempt on your network is highly unlikely.
  • Have forensic search capabilities. Inputting certain criteria should be sufficient for you to get what are you looking for.
  • Sound the alarm when necessary. The solution should recognize suspicious activity (for example, a huge number of unsuccessful login attempts from the same IP address) and notify your team through a dashboard, email, or even via text message.
  • Have a reporting feature. All security information should be presented in easy-to-understand format. This visualization allows for easy data interpretation. Also, through reporting, you will gain access to compliance data and thus the compliance reports. These reports are crucial in existing security, governance, and auditing processes.
  • Have machine learning capabilities. This feature is not “a must” for all SIEM solutions, but it is good to have. Essentially, the tool learns from previous trends and events, and begins to recognize patterns that led to the problems in the past. Pair it up with the alerts, and you are looking at an additional level of network defense.

Apart from these, there is one more feature that every SIEM solution should have or work with. It often gets mixed up with security information and event management, and has caused quite a stir when it comes to differentiating these two terms. Of course, we are talking about Log Management.

What is the Difference Between SIEM and Log Management?

Organizations using only SIEM could be missing some valuable information, since SIEM-only vendors often forces an organization to curtail the amount of log detail they can collect, due to the pricing model. Not only is this expensive, but it opens up your organization to further vulnerability since it takes longer to correlate and search data for potential breaches.

Log management solutions gather and store log files from various sources in a single, centralized location. This additional capability allows your team to gain deeper insight and faster access to all relevant data when investigating possible threats or determining prevention methods for  future security issues.

To further distinguish  between SIEM and log management, all we have to do is check what kind of data they provide: event data or state data.

  • Logs provide you with an exact list of all events that occured on your server, network, or website. Managing these logs gives you exact insight into what happened and when. This kind of information is event data.
  • SIEM, on the other hand, provides you with all of the information that logs do, but also provides you with state data as well. State data gives you the view of the overall state of the system: configurations, current applications, active users, processes, registry settings, and vulnerabilities. Understanding the full state of the system is the foundation for all security-related decisions.

The combination of event and state data is the next step in understanding cybersecurity, as well as increasing cyber awareness. Do not be left behind.

Conclusion

We all know that there is no universal weapon in battling today’s security issues. Those who are adamant about breaching your network, website, or server security will not try just one method and give up---they will try to find new ways to come through your firewall, and gain that vital information they are after. However, having a proper SIEM toolbox at your disposal can make the difference between losing this digital battle or staying on top.



Written By

@
Add Graylog to your RSS feed
How to use RSS
RSS feeds allow you to see when websites have added new content. You can get the new content as soon as it's published, without having to visit the website. To start getting RSS feeds you will need a RSS feed reader on your device.
Back to Blog Posts

Stay In The Know

Get Graylog email updates and be the first to know about new content, product updates, and tips and tricks!