SIEM. Security Information and Event Management. It’s an essential part of any cybersecurity strategy, and yet oftentimes it is not that well known, and even those researching the topic are uninformed. As an example, I’ve heard it pronounced as ‘Siam’, ‘seam’, ‘sem’, and ‘sime’. We internally and most folks call it ‘sim’. If we can’t even agree on how to pronounce it how can we agree to define it? Well, thankfully that’s been taken care of. The term actually goes back to 2005, when Amrit Williams and Mark Nicollet from Gartner initialized the study of SIEM and coined the term.
Prior to Mark and Amrit’s work, it was actually two distinct pieces of software, Security Information Management (SIM) and Security Event Management (SEM). SIM plus SEM equals SIEM. SIM offered storage, analysis and reporting of and from network log data, and SEM offered real-time monitoring, correlation, and notifications of that same log data. Combining the two allowed for dashboards that gave users the ability to have real-time alerts of what was happening across their network, including user activity, software and hardware.
What Are the Benefits of SIEM?
Where SIEM really becomes powerful is parts of an overall security strategy. It gives the user, in particular, a well run Security Operations Center (SOC…more on these in a later post) access to volumes of data that can be used in a variety of ways. First and foremost this log data can be aggregated and organized. When logs are organized properly most SIEMs, out of the box, will have built alerts that let a user or a SOC know when something anomalous happens. This could be someone logging in from an odd location on up to a malicious threat. This also allows that data to be organized into dashboards that make it easy to see what just happened and analyze the alert.
Over time a SOC or user can correlate rules to that data to begin limited alerts, allowing the SIEM to do regular tasks that might be complex in quick operations so that alerts are reduced and only real problems come to the forefront. A proficient user can then being adding scripts, runbooks and the like to make the SIEM work for them and be tweaked and tuned for their environment. This will allow for other security tools, like SOAR, end-point protection and the like to be communicated with as part of an overall security strategy.
Many providers, like BitLyft, offer Security as a Service, or SECaaS, that uses SIEM as a foundation for a total package that lets our SOC and proprietary SOAR software act to make security efficient, proactive, and most importantly prepared to address threats that haven’t been seen yet. SIEM can even get involved with user authentication and complex operations like User Behavior Analytics (UBA or UEBA). This is key for organizations that have a wide-variety of users and multiple attack surfaces.
Another benefit of SIEM is the ability to have compliance reporting. Many organizations, such as those in defense contracting, higher education, financial services or national infrastructure, must meet standards based upon cybersecurity, and regularly face audits on those standards. SIEM allows them to schedule and run regular reports that can do in seconds what is needed to show compliance and give security teams significant cost savings back in the form of time. Examples of this may be CMMC, NIST, Title IV, NERC-CIP and a host of others. Many top SIEMS, like LogRhythm and Securonix, have these reports set up as standard parts of what they offer.
What SIEM Tools Should I trust?
While we are mentioning specific SIEMs, it is important to note that most years Gartner will release a report on the top SIEMs and make public a ‘magic quadrant’. Common players in that rather are IBM QRadar, Dell, Splunk and Rapid7. We at BitLyft are partners with two of the leaders, Securonix and Graylog. We have chosen them and been chosen by them for their leadership and technical advantages. Most importantly they are set up well for clients to glean what they need from the SIEM.
LogRhythm has been around for some time, and is one of the leaders in several areas. First and foremost they offer an unlimited pricing model in tiers, so organizations can have spending predictability that will make their boards happy. Also, LogRhythm is one of the leaders in reporting, is always evolving to meet the needs of their users, and operates a Security Operations Maturity Model, or SOMM, that takes a more wholistic approach and puts service on a pedestal.
Securonix is newer to the list, and actually built their reputation as a UEBA provider. The software is almost futuristic in its ability to operate and can do things that are innovative and forward-thinking that most SIEMs aren’t doing today. Essentially they built an epic software platform with everything they had seen in the market. In addition Securonix has an easy pricing model and is often a more economical model.
This should not be read to think SIEM is not without flaws or that work is not required. The biggest complaints in the market are that SIEMs produce too many alarms. This tends to fatigue users. Additionally, people say that they are too complex and become expensive shelfware.
While no SIEM is perfect it is important to pick a SIEM for the long-term that is easy for a team to use, highly functional, and will not break the bank. In addition, there are a lot of service providers that can make SIEM better than it will be stand-alone. In addition, having a total platform means that SIEM is a foundation, and other tools will be needed.