SIEM
Security information and event management, SIEM for short, is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations.
SIEM, pronounced “sim,” combines both security information management (SIM) and security event management (SEM) into one security management system. SIEM technology collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action.
In short, SIEM gives organizations visibility into activity within their network so they can respond swiftly to potential cyberattacks and meet compliance requirements.
In the past decade, SIEM technology has evolved to make threat detection and incident response smarter and faster with artificial intelligence.
How do SIEM tools work?
SIEM tools collect, aggregate, and analyze volumes of data from an organization’s applications, devices, servers, and users in real-time so security teams can detect and block attacks. SIEM tools use predetermined rules to help security teams define threats and generate alerts.
SIEM capabilities and use cases
SIEM systems vary in their capabilities but generally offer these core functions:
- Log management: SIEM systems gather vast amounts of data in one place, organize it, and then determine if it shows signs of a threat, attack, or breach.
- Event correlation: The data is then sorted to identify relationships and patterns to quickly detect and respond to potential threats.
- Incident monitoring and response: SIEM technology monitors security incidents across an organization’s network and provides alerts and audits of all activity related to an incident.
SIEM systems can mitigate cyber risk with a range of use cases such as detecting suspicious user activity, monitoring user behavior, limiting access attempts and generating compliance reports.
SIEM features and capabilities
Important features to consider when evaluating SIEM products include the following:
- Data aggregation. Data is collected and monitored from applications, networks, servers and databases.
- Correlation. Typically a part of SEM in a SIEM tool, correlation refers to the tool finding similar attributes between different events.
- Dashboards. Data is collected and aggregated from applications, databases, networks and servers and is displayed in charts to help find patterns and to avoid missing critical events.
- Alerting. If a security incident is detected, SIEM tools can notify users.
- Automation. Some SIEM software might also include automated functions, such as automated security incident analysis and automated incident responses.
Users should also ask the following questions about SIEM product capabilities:
- Integration with other controls. Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?
- Artificial intelligence (AI). Can the system improve its own accuracy through machine learning and deep learning?
- Threat intelligence feeds. Can the system support threat intelligence feeds of the organization's choosing, or is it mandated to use a particular feed?
- Extensive compliance reporting. Does the system include built-in reports for common compliance needs and provide the organization with the ability to customize or create new compliance reports?
- Forensic capabilities. Can the system capture additional information about security events by recording the headers and contents of packets of interest?
Benefit of using a SIEM
SIEM tools offer many benefits that can help strengthen an organization’s overall security posture, including:
- A central view of potential threats
- Real-time threat identification and response
- Advanced threat intelligence
- Regulatory compliance auditing and reporting
- Greater transparency monitoring users, applications, and devices
How to implement a SIEM solution
Organizations of all sizes use SIEM solutions to mitigate cybersecurity risks and meet regulatory compliance standards. The best practices for implementing a SIEM system include:
- Define the requirements for SIEM deployment
- Do a test run
- Gather sufficient data
- Have an incident response plan
- Keep improving your SIEM
The role of SIEM for businesses
SIEM is an important part of an organization’s cybersecurity ecosystem. SIEM gives security teams a central place to collect, aggregate, and analyze volumes of data across an enterprise, effectively streamlining security workflows. It also delivers operational capabilities such as compliance reporting, incident management, and dashboards that prioritize threat activity.
SIEM tools and software
- Splunk. Splunk is an on-premises SIEM system that supports security monitoring and offers continuous security monitoring, advanced threat detection, incident investigation and incident response.
- IBM QRadar. The IBM QRadar SIEM platform provides security monitoring for IT infrastructures. It features log data collection, threat detection and event correlation.
- LogRhythm. LogRhythm is a SIEM system for smaller organizations. It unifies Log Management, network monitoring and endpoint monitoring, as well as forensics and security analytics.
- Exabeam. Exabeam Inc.'s SIEM portfolio offers a data lake, advanced analytics and a threat hunter.
- NetWitness. The RSA NetWitness platform is a threat detection and response tool that includes data acquisition, forwarding, storage and analysis.
- Datadog Cloud SIEM. Datadog Cloud SIEM from Datadog Security is a cloud-native network and management system. The tool features both real-time security monitoring and log management.
- Log360. The Log360 SIEM tool offers threat intelligence, incident management and SOAR features. Log collection, analysis, correlation, alerting and archiving features are available in real time.
- SolarWinds Security Event Manager. The SolarWinds Security Event Manager SIEM tool automatically detects threats, monitors security policies and protects networks. The tool offers features such as integrity monitoring, compliance reporting and centralized log collection.
What Is SIEM? | Microsoft Security