SIEM stands for security information and event management. In practice, SIEM software solutions combine the benefits of security information management (SIM) and security event management (SEM) into a comprehensive security solution capable of providing real-time analysis of security alerts generated by your apps and hardware.
SIEM works by collecting information from logs and event data generated by an organization across its applications, security systems, and hardware. By matching events against rules and analytics engines, it’s possible for SIEM systems to detect and analyze security threats in real time. Better still, everything is indexed for search to help security teams in their analyses, log management, and reporting.
Unauthorized access
A handful of failed login attempts is understandable. Dial that number up to 100 and someone is probably performing a brute force attack. SIEM software can monitor user behavior and identify unusual access attempts.
Insider threats
By constantly monitoring employee behavior, SIEM systems can detect insider threats both accidental and malicious. From former employees, who have yet to have their access privileges revoked, to malicious insiders, who may be trying to steal or leak sensitive information, to accidental security changes, SIEM software can detect anomalous behavior and escalate it to a security analyst for analysis.
Phishing
Phishing attacks are designed to get people to voluntarily divulge personal or sensitive information by impersonating a trusted authority. The most common form of phishing is emails with malicious links or attachments from attackers masquerading as vendors, managers, or personnel. Besides security training, a SIEM solution can detect things like employee logins from suspicious locations at unusual times, which may be a sign of a compromised employee account. You can then lock out that user profile to prevent damage until the access can be confirmed by the employee.
DoS and DDoS attacks
Denial-of-service (DoS) attacks disrupt services by flooding networks with enough traffic to tie up system resources and trigger a crash. The frequency of such threats is rising because of the ease with which botnets can conscript unwitting users’ network devices into their own swarms for performing distributed denial-of-service (DDoS) attacks. By monitoring your web server logs, SIEM software can flag anomalous traffic events that may be indicative of a DoS or DDoS attack. Catching such attacks early on can give your security team time to mount a defense and plan restoration of services.
Code injection
Code injection involves injecting malicious code into client-side input channels, such as online forms, to gain access to an application’s database or systems. The most common example of this is SQL injection in which SQL commands are inserted into unsanitized input allowing the attacker to modify or delete data directly from the database. By monitoring activity from web applications, it’s possible to flag anomalous events and use event correlation to see if any changes to your system have occurred.
Ransomware and other malware
Ransomware, viruses, worms, trojans, and other types of malware are software designed to infiltrate computer systems and execute malicious programs. The best defense against such attacks is prevention, and SIEM systems give you the monitoring capabilities you need to make sense of security logs, identify attack vectors, and catch anomalous behavior that might lead to an attack. Once compromised, SIEM can also help you identify the scope of damage of a malware attack, giving your security team the information they need to resolve the issue.
MITM attacks
A man-in-the-middle (MITM) attack is when a malicious third party eavesdrops on communications between two hosts to steal or manipulate information. Once communications have been intercepted, the attacker can employ a number of techniques from hijacking user sessions by sniffing password inputs to injecting malicious packets into data communication streams. Frequent connections or disconnections to unfamiliar locations may point to a MITM attack, which is why SIEM can be an invaluable tool in helping catch eavesdroppers before it's too late.
SIEM systems serve as a core component of any enterprise security infrastructure. Let’s take a look at some examples of SIEM use cases.
Compliance with data standards
SIEM systems aggregate data from event logs, security tools, and devices across the enterprise. It’s the perfect tool to assist with generating compliance and regulatory reports.
Here are some examples:
Because SIEM provides structured access to log information and security data across your enterprise, it’s possible to create detailed reports for regulatory bodies and individual data owners alike.
Advanced security threats detection
As covered in greater detail in the previous section, “Examples of threats a SIEM solution can detect,” SIEM systems were made for detecting advanced security threats. Let’s look at some more general examples of how SIEM systems support active threat hunting.
Securing IoT deployments
The internet of things (IoT) exists as a fleet of distributed network devices each streaming its own event logs in real time. SIEM systems are ideal for securing IoT deployments.
The primary difference between a SIEM system and an intrusion detection system (IDS) is that SIEM is preventative, while an IDS is optimized to detect and report threat events as they occur. While both tools will create alerts and generate logs, only the SIEM system can centralize and correlate that log information across different devices and systems to get a bird’s-eye view of your enterprise security.
Organizations will often use both SIEM and IDS together. The IDS will help during an attack. The SIEM solution will take those IDS logs and make them available alongside other system information so security teams can generate compliance reports and prevent future attacks.
Security orchestration, automation, and response (SOAR) is the relative new kid on the block. It expands on the capabilities of SIEM by also allowing you to automate investigation path workflows. This cuts down on the time required to handle alerts.
SIEM identifies threats by correlating information from multiple sources, including firewalls, applications, servers, and devices. The SIEM solution will try to provide the most relevant information to the security team with suggestions for remediation, but it’s on the security team to track down and remediate the source of a potential threat.
The SOAR platform does all of that and more by taking the extra step to automate the investigation path. It goes beyond simply alerting the security team to a potential threat by using AI to learn pattern behaviors and address threats automatically through orchestration.
Some popular SIEM tools on the market include:
In summary, SIEM stands for security information and event management. SIEM tools can be used to detect and prevent a variety of threats, including code injection, ransomware attacks, and DDoS attacks. They’re especially useful for detecting anomalies, such as unauthorized access, suspicious login attempts, and unusual data flows. If you need a security platform that can aggregate logs from multiple sources into one centralized location for security analysis, a SIEM solution can help.
¿Tiene alguna pregunta o comentario sobre los productos o las certificaciones de Pure? Estamos aquí para ayudar.
Programe una demostración en vivo y compruebe usted mismo cómo Pure puede ayudarlo a transformar sus datos en potentes resultados.
Llámenos: 800-976-6494
Medios de comunicación: pr@purestorage.com
Sede central de Pure Storage
650 Castro St #400
Mountain View, CA 94041
800-379-7873 (información general)