What Is SIEM? Definition and How It Works

SIEM stands for security information and event management. In practice, SIEM software solutions combine the benefits of security information management (SIM) and security event management (SEM) into a comprehensive security solution capable of providing real-time analysis of security alerts generated by your apps and hardware.

How does SIEM work?

SIEM works by collecting information from logs and event data generated by an organization across its applications, security systems, and hardware. By matching events against rules and analytics engines, it’s possible for SIEM systems to detect and analyze security threats in real time. Better still, everything is indexed for search to help security teams in their analyses, log management, and reporting.

Examples of threats a SIEM solution can detect

Unauthorized access

A handful of failed login attempts is understandable. Dial that number up to 100 and someone is probably performing a brute force attack. SIEM software can monitor user behavior and identify unusual access attempts.

Insider threats

By constantly monitoring employee behavior, SIEM systems can detect insider threats both accidental and malicious. From former employees, who have yet to have their access privileges revoked, to malicious insiders, who may be trying to steal or leak sensitive information, to accidental security changes, SIEM software can detect anomalous behavior and escalate it to a security analyst for analysis.

Phishing

Phishing attacks are designed to get people to voluntarily divulge personal or sensitive information by impersonating a trusted authority. The most common form of phishing is emails with malicious links or attachments from attackers masquerading as vendors, managers, or personnel. Besides security training, a SIEM solution can detect things like employee logins from suspicious locations at unusual times, which may be a sign of a compromised employee account. You can then lock out that user profile to prevent damage until the access can be confirmed by the employee.

DoS and DDoS attacks

Denial-of-service (DoS) attacks disrupt services by flooding networks with enough traffic to tie up system resources and trigger a crash. The frequency of such threats is rising because of the ease with which botnets can conscript unwitting users’ network devices into their own swarms for performing distributed denial-of-service (DDoS) attacks. By monitoring your web server logs, SIEM software can flag anomalous traffic events that may be indicative of a DoS or DDoS attack. Catching such attacks early on can give your security team time to mount a defense and plan restoration of services.

Code injection

Code injection involves injecting malicious code into client-side input channels, such as online forms, to gain access to an application’s database or systems. The most common example of this is SQL injection in which SQL commands are inserted into unsanitized input allowing the attacker to modify or delete data directly from the database. By monitoring activity from web applications, it’s possible to flag anomalous events and use event correlation to see if any changes to your system have occurred.

Ransomware and other malware

Ransomware, viruses, worms, trojans, and other types of malware are software designed to infiltrate computer systems and execute malicious programs. The best defense against such attacks is prevention, and SIEM systems give you the monitoring capabilities you need to make sense of security logs, identify attack vectors, and catch anomalous behavior that might lead to an attack. Once compromised, SIEM can also help you identify the scope of damage of a malware attack, giving your security team the information they need to resolve the issue.

MITM attacks

A man-in-the-middle (MITM) attack is when a malicious third party eavesdrops on communications between two hosts to steal or manipulate information. Once communications have been intercepted, the attacker can employ a number of techniques from hijacking user sessions by sniffing password inputs to injecting malicious packets into data communication streams. Frequent connections or disconnections to unfamiliar locations may point to a MITM attack, which is why SIEM can be an invaluable tool in helping catch eavesdroppers before it's too late.

When to use SIEM with examples

SIEM systems serve as a core component of any enterprise security infrastructure. Let’s take a look at some examples of SIEM use cases.

Compliance with data standards

SIEM systems aggregate data from event logs, security tools, and devices across the enterprise. It’s the perfect tool to assist with generating compliance and regulatory reports.

Here are some examples:

• GDPR: The General Data Protection Regulation (GDPR) was enacted by the European Union (EU) to protect the personal data of EU citizens.
• HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US legislature to protect sensitive patient health information.
• PCI: Payment Card Industry Data Security Standard (PCI DSS) is an information security standard mandated by major credit card companies to protect their customers.
• SOX compliance: The Sarbanes-Oxley (SOX) Act is a US regulation that targets corporate accounting fraud. It applies to public company boards, management, and accounting firms and requires accurate reporting of where sensitive information is stored, who has access to it, and how it is being used.

Because SIEM provides structured access to log information and security data across your enterprise, it’s possible to create detailed reports for regulatory bodies and individual data owners alike.

Advanced security threats detection

As covered in greater detail in the previous section, “Examples of threats a SIEM solution can detect,” SIEM systems were made for detecting advanced security threats. Let’s look at some more general examples of how SIEM systems support active threat hunting.

• Identifying anomalies: Behavioral analytics and event correlation can flag anomalies for closer inspection by security teams.
• Data exfiltration: Having a bird’s-eye view of how your data is being used can tip you off to insider threats and other unauthorized attempts to transfer sensitive information outside of your organization without authorization.
• Response to new vulnerabilities: If a new zero-day exploit or system vulnerability is identified, a SIEM solution can help you quickly identify the scope of the vulnerability so you can close it.
• Learn from past incidents: When an incident occurs, you can quickly check if it has happened before. Past experience dealing with the problem can help you prevent future occurrences or deal with repeat incidents quicker.
• Threat intelligence: Intelligently detect attacks in IT systems by applying AI to security data and logs. Pattern match known attack signatures to historical data.
• Guide investigations: Empower analysts to test hypotheses via data exploration through a SIEM platform.

Securing IoT deployments

The internet of things (IoT) exists as a fleet of distributed network devices each streaming its own event logs in real time. SIEM systems are ideal for securing IoT deployments.

• IoT device monitoring: IoT devices are prime targets for hijacking into botnets for conducting DDoS attacks. Constant monitoring from a SIEM system can tip you off to anomalous behavior indicative of a compromised device.
• Data flow monitoring: IoT devices often communicate with each other over unencrypted protocols. A SIEM solution can detect unusual traffic patterns between nodes in your IoT network and alert security teams when sensitive information is compromised.
• Access control: Monitoring who accesses your IoT devices and when can tip you off to suspicious activity or connections.
• Vulnerability management: A SIEM solution can help you detect old operating systems and unpatched vulnerabilities in the IoT devices in your fleet. It can also help you isolate devices most likely to be attacked, such as those with access points to sensitive data or critical functions.

How is SIEM different from an IDS?

The primary difference between a SIEM system and an intrusion detection system (IDS) is that SIEM is preventative, while an IDS is optimized to detect and report threat events as they occur. While both tools will create alerts and generate logs, only the SIEM system can centralize and correlate that log information across different devices and systems to get a bird’s-eye view of your enterprise security.

Organizations will often use both SIEM and IDS together. The IDS will help during an attack. The SIEM solution will take those IDS logs and make them available alongside other system information so security teams can generate compliance reports and prevent future attacks.

SIEM vs. SOAR: What’s the difference?

Security orchestration, automation, and response (SOAR) is the relative new kid on the block. It expands on the capabilities of SIEM by also allowing you to automate investigation path workflows. This cuts down on the time required to handle alerts.

SIEM identifies threats by correlating information from multiple sources, including firewalls, applications, servers, and devices. The SIEM solution will try to provide the most relevant information to the security team with suggestions for remediation, but it’s on the security team to track down and remediate the source of a potential threat.

The SOAR platform does all of that and more by taking the extra step to automate the investigation path. It goes beyond simply alerting the security team to a potential threat by using AI to learn pattern behaviors and address threats automatically through orchestration.

Common SIEM cybersecurity vendors

Some popular SIEM tools on the market include:

• Elastic SIEM
• SolarWinds SIEM
• Datadog
• Splunk Enterprise SIEM
• McAfee ESM
• Micro Focus ArcSight
• LogRhythm
• AT&T Cybersecurity SIEM (Formerly AlienVault USM)
• RSA NetWitness
• Netsurion EventTracker

Conclusion

In summary, SIEM stands for security information and event management. SIEM tools can be used to detect and prevent a variety of threats, including code injection, ransomware attacks, and DDoS attacks. They’re especially useful for detecting anomalies, such as unauthorized access, suspicious login attempts, and unusual data flows. If you need a security platform that can aggregate logs from multiple sources into one centralized location for security analysis, a SIEM solution can help.