What is SIEM?
Security information and event management (SIEM) software helps IT security professionals protect their enterprise network from cyberattacks. A SIEM solution gathers log data from all infrastructure components in an organization—routers, switches, firewalls, servers, personal computers and devices, applications, cloud environments, and more. It then analyzes the data and provides insights to security administrators for effective mitigation of security attacks.
How does SIEM work?
SIEM solutions collect logs, the time-stamped records of events generated by every device and application in the network, using both agentless and agent-based mechanisms. Once the logs are aggregated within the SIEM software, they are normalized using various analytical techniques, including log correlation and machine learning algorithms. Analyzing and correlating the logs helps SIEM solutions detect and prevent threats in an organization.
Why do you need a SIEM solution?
- Monitors all network activities to help troubleshoot issues with IT operations, and ensures network security.
- Prevents data breaches by identifying threat indicators at an early stage.
- Discovers irregular user behavior patterns to catch sophisticated attacks so you can quickly launch a defense.
- Issues real-time alerts for every security incident detected.
- Helps enterprises comply with IT regulations.
- Prioritizes and resolves security incidents and threats.
- Conducts forensic analysis, and speeds up post-incident recovery.
Breaking down SIEM
SIEM includes two functions:
- Security information management (SIM): SIM involves the collection of all network activities. This can range from log data collected from servers, firewalls, domain controllers, routers, databases, and netflows, to unstructured data present in network, such as in emails.
Log data can be collected using two techniques—agentless and agent-based collection.
- Agent-based log collection: This method requires the deployment of an agent on every device. The agent collects logs, then parses and filters them before returning the logs to the SIEM server. This technique is mainly used in a closed and secured network, such as a demilitarized zone (DMZ) where communication is restricted.
- Agentless log collection: This is the more frequently used method in which logs generated by devices are automatically collected by the SIEM server using a secure communication channel such as a specific port using secured protocols.
- Security event management (SEM): SEM refers to analysis of the collected data. The data is analyzed using various techniques, alerts are sent, and/or a workflow is initiated for any abnormal behavior.
The analysis process includes:
- Log correlation: All the collected data is analyzed and the logs are correlated with each other to detect any attack patterns. The log data may also be correlated with threat feeds to detect indicators of compromise (IoCs).
- Threat intelligence: Contextual threat information is used to detect any intrusion, lateral movement, or data exfiltrations happening in the network.
- Machine learning based user behavior analytics: Machine learning algorithms and analytical tools can form a baseline of user behavior patterns. If there is a deviation in behavior, the SIEM solution will detect the anomaly, raise an alert, and prevent any threats to the network.
The interpreted data obtained from the above techniques is presented in the form of bar graphs or pie charts, which makes decision-making quicker and easier for security administrators.
Let's consider this classic SIEM scenario:
- A password for gaining access into a network has been entered incorrectly five times in a minute. This is considered a low priority attack, as the user could have mistakenly entered the wrong password several times.
- Now consider the case where the wrong password is entered 240 times in a minute. This could be a brute-force attack where an external party is trying to gain access to the network.
Here's how an alert is raised
Enters the wrong password 240 times in a minute. (Logon failure, event ID 4625)
Enters the right password after 240 attempts. (Logon success, event ID 4624)
ALERT: Possible brute-force attack in the network.
SIEM software can detect such brute-force attacks, notify IT security admins, and automatically initiate a workflow to lock the account and isolate the machine the event occurred on.