What is SIEM? Security information and event management (SIEM)
What is SIEM
Security Information and Event Management (SIEM) is a set of tools and services offering a holistic view of an organization’s information security.
SIEM tools provide:
- Real-time visibility across an organization’s information security systems.
- Event log management that consolidates data from numerous sources.
- A correlation of events gathered from different logs or security sources, using if-then rules that add intelligence to raw data.
- Automatic security event notifications. Most SIEM systems provide dashboards for security issues and other methods of direct notification.
SIEM works by combining two technologies: a) Security information management (SIM), which collects data from log files for analysis and reports on security threats and events, and b) security event management (SEM), which conducts real-time system monitoring, notifies network admins about important issues and establishes correlations between security events.
The security information and event management process can be broken down as follows:
-
Data collection – All sources of network security information, e.g., servers, operating systems, firewalls, antivirus software and intrusion prevention systems are configured to feed event data into a SIEM tool.Most modern SIEM tools use agents to collect event logs from enterprise systems, which are then processed, filtered and sent them to the SIEM. Some SIEMs allow agentless data collection. For example, Splunk offers agentless data collection in Windows using WMI.
-
Policies – A profile is created by the SIEM administrator, which defines the behavior of enterprise systems, both under normal conditions and during pre-defined security incidents. SIEMs provide default rules, alerts, reports, and dashboards that can be tuned and customized to fit specific security needs.
-
Data consolidation and correlation – SIEM solutions consolidate, parse and analyze log files. Events are then categorized based on the raw data and apply correlation rules that combine individual data events into meaningful security issues.
-
Notifications – If an event or set of events triggers a SIEM rule, the system notifies security personnel.
Security information and event management tools
There are a number of security information and event management solutions on the market. Arcsight ESM, Azure Sentinel, IBM QRadar and Splunk are among the most popular.
ArcSight
ArcSight collects and analyzes log data from an enterprise’s security technologies, operating systems and applications. Once a malicious threat is detected, the system alerts security personnel.
ArcSight can also start an automatic reaction to stop the malicious activity. Another feature is the ability to integrate third-party threat intelligence feeds for more accurate threat detection.
Azure Sentinel
See and stop threats before they cause harm, with SIEM reinvented for a modern world. Azure Sentinel is your bird’s-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs – while reducing IT costs.
IBM QRadar
IBM QRadar collects log data from sources in an enterprise’s information system, including network devices, operating systems, applications and user activities.
The QRadar SIEM analyzes log data in real-time, enabling users to quickly identify and stop attacks. QRadar can also collect log events and network flow data from cloud-based applications. This SIEM also supports threat intelligence feeds.
Splunk
Splunk Enterprise Security provides real-time threat monitoring, rapid investigations using visual correlations and investigative analysis to trace the dynamic activities associated with advanced security threats.
The Splunk SIEM is available as locally installed software or as a cloud service. It supports threat intelligence feed integration from third-party apps.
SIEM and PCI DSS compliance
SIEM tools can help an organization become PCI DSS compliant. This security standard reassures a company’s customers that their credit card and payment data will remain safe from theft or misuse.
A SIEM can meet the following PCI DSS requirements:
-
Unauthorized network connection detection – PCI DSS compliant organizations need a system that detects all unauthorized network connections to/from an organization’s IT assets. A SIEM solution can be used as such a system.
-
Searching for insecure protocols – A SIEM is able to document and justify the use of an organization’s permitted services, protocols and ports, as well as document security features implemented for insecure protocols.
-
Inspect traffic flows across DMZ – PCI compliant organizations need to implement a DMZ that manages connections between untrusted networks (e.g., the internet) and a web server. Additionally, inbound internet traffic to IPs within the DMZ need to be limited while outgoing traffic dealing with cardholder details must be evaluated.
SIEM solutions can meet these requirements by inspecting traffic that flows across the DMZ to and from internal systems, and by reporting on security issues.
Network Warehouse & Sentinel
Network Warehouse have joined forces with Maple Networks of London to deliver next generation managed SIEM services with Microsoft (Azure Sentinel) and Splunk. Our turnkey platform allows users to decouple their licensing assets from our managed service overlay. This essentially means customers maintain ownership and we supply the managed service.
The partnerships aim is not to completely remove these services from customer IT dept's but work 'alongside' your team as a specialist unit to ensure security compliance is upheld.
Our SIEM integration is tailor-made to meet your application’s security needs, allowing us/you to cut through the noise and prioritize high-risk threats. At the same time, we will be provided with actionable insights.
Specific features in our integration packages include customizable rules for security event correlation, options for site-specific threat analysis, a predefined optimized dashboard and more.
For more information on our next gen service and solution, click here.