What is SIEM? 

Written By Bethany Faithfull

SIEM stands for Security Information and Event Management, and a SIEM system does exactly what you’d expect based on that name – it is software that manages security events and other important pieces of security information across the network it is installed on. A SIEM system is used to detect security incidents and cyber attacks at the time they occur, which can allow an organisation to responding quickly and minimise the damage done by the incident or attack. This is possible through the SIEM system collecting and analysing event logs across the network in real time, providing the security team with the ability to see everything that is going on in the network ‘right now’ or at a chosen point in history.  

 

When an event happens on a computer, such as a user signing on, or an application running, the computer keeps a record of this in a log file. There are so many events produced through normal operation of computer systems that important log events can be missed in all the ‘noise’. After a security breach has been detected, a common finding is that evidence of the incident was available at the time, but no-one spotted this, or realised it’s significance, and so staff did not act to stop the breach. The Verizon Data Breach Investigation report states that “In 82 percent of cases ... the victim possessed the ability to discover the breach had they been more diligent in monitoring and analyzing event-related information available to them at the time of the incident.”  

 

SIEM systems contain rules that can be configured by the security team to identify important events in the logs and not report on false positive alerts so that staff are not overwhelmed by notifications of events that don’t require further investigation, and time can be better spent focusing on important events instead. Many modern SIEM systems have initial configurations and rulesets ready to be used, however a period of ‘training’ is still needed to fine tune the system to the network. Each network is unique, so the way your SIEM system is set up should be unique also. 

 

Lots of different systems will be running on your network at all times, and these are often managed by different departments. A firewall will be configured by your network engineers, an SQL database will be controlled by database analysts and engineers, and the Windows configurations will be set up by the systems administrators. Because of this separation of roles and responsibilities, the log files produced about events happening in each of these systems will also be kept separate. Keeping all of these logs separate makes sense from an engineering perspective, however from a security perspective it presents a problem.  

 

Security is a holistic exercise, and the segregation of event logs from different systems can mean that the whole picture of a security event is not seen, and important indicators about a security incident or attack can be missed. When investigating problems in complex systems, context is king – and the ability to know what was going on at the same time in many different systems can mean the difference between staff identifying an incident in time to prevent further damage, and an incident going unnoticed long enough to cause significant security issues. SIEM systems correlate event logs from multiple systems so that you can see what is going on across the network at the same time.  

 

Event logs on computers and devices will have a finite amount of available storage space, but as events are constantly occurring, the logs are continually produced. This results in the device automatically overwriting the oldest log files as needed. SIEM systems store copies of event logs from each device and system in a separate secure location – often on a security appliance within the data centre. By copying the logs to a central repository, the logs can be preserved and made available for forensic analysis any time after the attack occurred. Using a central location to store the logs also allows the SIEM system to secure them and protect them from change. An attacker might try to alter event logs to hide the evidence of their attack, but the secure copies of the logs will allow staff to identify the truth of what has happened in an attack. 

 

SIEM provides a means for both security operations and support staff to take a holistic view of current and historic activity across the network – spot intrusions, attacks, and system problems as well as conduct post-mortem and forensic investigations after and attack. The most import element though is not the SIEM system’s ability to spot a problem and raise an alert, but for a well-trained staff member to see the SIEM alert and respond to it in a timely and appropriate manner. 

 

Cool Waters Managed Cyber Team provides industry leading SentinelOne endpoint protection for PC and Servers combined with a SIEM service that can be installed across your network, which our Security Operations Centre (SOC) team actively monitors 24 hours a day, 7 days a week. The SOC is a dedicated team of experts who proactively manage your cyber security on a day-to-day basis. This includes training and monitoring the SIEM to spot attacks and attempted breaches as they occur and then to respond in real time to contain the intruders or malware.    

 

Our SIEM service, backed up by our SOC, is a cost-effective way to meet the needs of PCI-DSS for daily log monitoring and investigations – including log retention for 12 months. 

 

Book a free discovery call to find out how quickly and easily we can get started. 

Bethany Faithfull
Previous

What is a Security Operations Centre (SOC)? 
Next

LastPass Hack - Act now!