What is a SIEM?
Why Use a SIEM for Security?
SIEM Tools & SIEM Configuration
What is a Cloud SIEM? Or a Modern SIEM?
Benefits of a Cloud SIEM vs. On-Premises SIEM
What Should You Log in a SIEM?
SIEM for Threat Detection
Common SIEM Alerts (or SIEM Rules)
SIEM Log Management
SIEM Demo & SIEM Implementation
SIEM vs. SOAR
The SIEM acronym (SIEM, not SEIM – often pronounced “sim”) stands for security information and event management, a type of cybersecurity solution that collects and converges data from different parts of your IT environment for the intent of security monitoring.
SIEM solutions have been around for decades, with varying degrees of functionality based on which product or vendor you choose. SIEMs refer to centralized log management tools that integrate with your different applications, systems, servers, etc. to take in data from each service.
SIEMs are used for real-time security event analysis to help with investigation, early threat detection and incident response. They also support compliance use cases, as many data regulatory frameworks require organizations to keep audit logs for up to one year. Not every SIEM is built the same, however. Many SIEMs may not do threat analysis, detection or response without fine-tuning and ongoing detection rule management.
While all operating systems have log repositories, they are stored on the host from where they originated. In the event you are compromised, this can leave logs exposed, since you can no longer trust the host.
The solution to this problem is to collect and aggregate logs in a central location, separate from the host that created them. As a result, in the event of a compromise or hardware failure or internal threat, your logs are still intact and in tamper-free state.
If kept tuned and properly maintained, a SIEM also provides valuable threat detection capabilities, which we discuss more in SIEM for Threat Detection, below.
- Advanced Visibility – Aggregating all of your logs across your on-premises and cloud-based applications, servers, databases, and more to gain deeper insights into your users, endpoints, traffic, activity, etc. enables you to maintain oversight into your network and beyond the perimeter as your company scales.
- Data Normalization – All of the different technology across your environment generates a ton of data in many different formats. While not every SIEM solution will collect, parse and normalize your data automatically, many do offer ongoing parsing to support multiple data types. This enables you to easily correlate data for threat analysis and investigation.
- Log Correlation – In addition to collecting logs, a SIEM can correlate them for analysis. This enables the creation of security alerts, trends and reports. Logs that span multiple hosts provide much richer context to help you derive security events. An organization can correlate events like suspicious DNS activity; unusual port activity on routers and firewalls; endpoint or antivirus threats; etc. to detect a potential attack.
- Threat Detection – Correlation and analysis leads to threat detection and alerting. Once a SIEM is properly configured and tuned to fit your environment, you can surface indicators of a compromise or threats that can lead to a breach. Some SIEMs come preconfigured with a default set of alert rules – it’s important to find the right balance of false positives and false negatives to reduce the noise of alerts that impact your team so they know when to take action for remediation.
- Help Meet Compliance – Many compliance regulations spanning different industries, such as HIPAA, CMMC, NIST, FFIEC, PCI DSS, etc. require organizations to collect and keep a history of audit logs for a certain period of time, detect and respond to threats, as well as produce regular security reports for auditors.
SIEMs can be set up in different ways – either with software installed on a local server, a hardware appliance, a virtual appliance or a cloud-based service. While many SIEMs may come preconfigured with a certain amount of alerts, dashboards and reports, they still need to be customized. A SIEM has to be trained on exactly what to look for in any new environment.
This makes it a very customized piece of security architecture that requires a significant amount of time to keep up with network changes, new software, new threats or new attacker behavior to ensure the SIEM is updated and tuned accordingly.
A SIEM that can be integrated broadly across different platforms, vendor products and both on-premises and cloud applications, services and infrastructure will allow you to get the widest coverage of security monitoring. That means no gaps in visibility, more data to correlate and analyze for threat detection, and faster time to detection and response.
A cloud-delivered or based SIEM allows IT teams to monitor and manage threats across hybrid environments – both on-premises infrastructure and in the cloud. Cloud SIEMs are sometimes referred to as modern SIEMs to differentiate between traditional SIEMs that have commonly been delivered on-premises.
Modern SIEMs also automate threat detection, and can also provide resources for customers to help with threat response, including security playbooks that walk IT teams through remediation (no security expertise required). A modern SIEM may compare a baseline standard of normal operating behavior to anomalous activity in order to quickly identify and alert you to possible internal or external attacks.
With a cloud SIEM, you can realize many benefits:
- Faster time to security – Like other cloud-based applications, a cloud SIEM can be deployed in a matter of hours, rather than weeks or months like traditional SIEM platforms that need on-site implementation. That often requires a lot of resources, people and time. Cloud SIEMs can be spun up, connected to your services, and start collecting and analyzing data right away for immediate detection coverage.
- Lower total cost of ownership – Some SIEMs require more upfront capital investment to implement, train employees on how to use, and additional licensing fees based on pricing models. Some price by amount of data ingested, and others charge by the amount of users.
- Improved time to detection – If your cloud SIEM comes with pre-written detection rules that can be deployed with the platform initially, you can improve your time to identify common attacks by eliminating the resources required to develop your own security detections. Faster time to detection and containment means the less overall impact a security event has on your organization.
- Consolidate security capabilities – A cloud SIEM can combine both log collection, analysis, parsing, detection and response into one platform, with a few centralized dashboards – eliminating the need for your small teams to switch between siloed and disparate solutions to monitor each tool in your IT environment.
- Integrity of data stays intact – A cloud SIEM allows you to keep your forensic trail of raw logs to ensure data hasn’t been tampered with by attackers trying to delete or alter evidence of their activity within your environment. An on-premises SIEM could allow an attacker to remove their audit trail associated with their attack, if they had a password and could gain access to the system.
The scope of what to log can vary depending on your perspective – these are the two most common:
This stems from the point of view that what is required is not known until it is needed; thus storing everything, searching and filtering later is adopted. While this provides access to all the possible data that may be required, it also provides more of a challenge when it comes to storage, indexing, and, in some cases, transmitting the data. If a commercial solution is used, licensing may also depend on volume (greater volume equals greater costs).
Only What You Need
Technology resources are consumed way less in this scenario, but there is a risk that something will be missed. When beginning with a new log collection and correlation system, it is best to start slowly with what is needed and then build upon it.
In reality, the answer to what to log is probably driven mostly by costs. If this is the case, it is best to prioritize consuming logs more aggressively from high-value, high-risk systems, and those facing external networks.
It is recommended to begin with systems that are already delivering security logs such as IPS/IDS (intrusion prevention and detection systems) and endpoint protection. After processes and procedures have been defined and followed, other logs such as Windows, DNS, honeypots, applications, and database can be added for a deeper look into the infrastructure.
A SIEM can help enhance existing security operations centers (SOCs), or work as an extension of a small security or IT team that is tasked with threat detection and response at their company.
The problem is, many SIEM solutions don’t provide real security detections or value out of the box. They may require dedicated resources and effort to keep up with evolving threats.
If configured or built properly, a SIEM platform can automate threat detection to provide security advantages for an organization, including:
- Malware detection and control, from endpoint to perimeter
- Boundary defenses, including firewalls, routers, VPNs and other network resources
- Access controls, including authentication, authorization and accounting
- Acceptable Use Policy (AUP) monitoring
- Application defenses that extend beyond the perimeter
- Compliance and audit data requirements, including for risk management and reporting
- Network and host defenses like IDS/IPS alerting
- Network and system resource operating integrity
Some of the most common SIEM detections that Blumira alerts on can be found below, from Top 10 Security Detections of 2020:
Public to Private Recon in Individual Connections
This alert indicates an attacker is attempting to enumerate services that are exposed to the internet. As this only matches when traffic is allowed, this means that either the firewall is set up to allow all traffic, or, the source attacker has found services that are allowed through the firewall and may be leveraged further.
Anomalous Honeypot Access
This indicates that you have an endpoint that is actively attempting to gain information about a honeypot and is likely unaware of its nature. When a honeypot detection occurs, unless the host is a known actor, the source should be acted upon immediately.
2FA (Two-Factor) Authentication Outside of U.S.
We often employ customer whitelists to cut down on false-positives caused by remote workers. Whether we’ve detected a user unexpectedly out of the country or a malicious user that gained some sort of access to a username, this finding has been very helpful and highly accurate.
Potentially Malicious Executable File
We lean heavily on endpoint security for this one. Our goal here was to bridge the gap between as many next-generation endpoint solutions as possible. We alert on high-confidence alerts from most of these endpoint solutions with this single detection.
SIEM Alerts at Blumira
These are just a few of the most common SIEM alert examples from our dataset of over 12,000 findings in our automated threat detection platform in 2020, growing exponentially each month.
There are many types of alerts that can be easily generated via log analysis and by connecting with your existing tech/security stack – including applications, authentication systems (identity and access management providers), databases, endpoint security solutions, intrusion detection and prevention systems, operating systems, and proxies and firewalls.
Logs contain a record of events generated by activity in an operating system, application or other technology. They provide a historical audit log useful for forensics, investigation and compliance purposes. Log management systems store logs from different endpoints and systems into one system, allowing them to be accessed by IT teams and analysts.
SIEMs also collect and normalize logs from different tools in your IT environment to centralize them in one location. Their intent is to help you monitor and analyze logs for anomalous activity or malicious attacks. Once detected, they can alert you on indicators of a compromise or different stages of an attack so you can respond quickly to contain or remediate.
If you’re using a cloud SIEM, deployment can take a matter of hours. If you’re using a more traditional SIEM, it may take weeks or months to start operationalizing and realizing security value out of it.
- Watch how easy it is to set up a cloud SIEM like Blumira in our demo video.
- Or, review our Getting Started With Blumira guide to understand the steps you need to take in order to implement a cloud SIEM in your environment.
Prior to implementation, you should have an understanding of what should and should not happen on your network, as well as what problems a SIEM is expected to help address.
- Define coverage scope – this may initially align with compliance requirements.
- Establish threat scenarios and use cases – tie use cases to different levels of an overall attack to help detect, alert and counteract each level of the kill chain.
- Define threat priority – Walk through each identified threat to prioritize what makes sense for the specific network it’s placed on.
- Perform a proof of concept (POC) – Ensure that your SIEM’s active rules and alerts are working to help you strengthen internal security.
- Create a Record of Authority (ROA) – This document will define where your logs are stored and how long you keep each log (retention period).
SOAR (security operations, automation and response) solutions help security operations center (SOC) analysts be more efficient by automating the prioritization and processing of security events/incidents. SOAR solutions enable threat management, incident response, and security operations automation. That means they can help teams mitigate vulnerabilities, coordinate a response to a security incident, and orchestrate their workflows, policy execution and reporting.
The focus of SOAR is primarily on threat response, what comes after the identification and alerting of a detected threat. They allow organizations to create playbooks to guide them through remediation steps to reduce stress and errors that can be made during a real response scenario.
While SOAR solutions have evolved as a way to layer on top of SIEM platforms that have traditionally lacked these capabilities, more modern cloud-delivered SIEM solutions have popped up on the market to consolidate and simplify the overall security operations workflow. With these integrated solutions, you can automate detection and response to reduce the amount of manual intervention required for correlation, investigation and remediation.« Back to Glossary Index