Security Information and Event Management (SIEM) explained
The security ecosystem of an organization can be a complex mix of hardware, software, sensors, vendors, and standards that somehow security teams are supposed to make sense of. Because of the critical nature of maintaining and monitoring the security of the environment, organizations turn to Security Information and Event Management (SIEM) solutions that can make sense and use of the seemingly disparate security data to identify abnormal activity and potential cyberattacks.
What is SIEM?
SIEM is an approach to security management that combines security information management (SIM) and security event management (SEM) functions into a single security management system. SIEM takes data from disparate security solutions and sources and applies either correlation rules against the data or uses analytics to establish relationships among the data points that can indicate potentially threatening behavior.
Using a wide range of disparate data sources, SIEM solutions can have complete visibility into every part of the environment’s security, giving a comprehensive perspective on what actions are taking place, whether they are abnormal, and if they pose threats.
How do SIEM solutions work?
SIEM solutions take the same basic steps to identify events and activities that can be deemed abnormal, suspicious, or unusual:
1. Data is collected – SIEM solutions collect and aggregate log data generated from many varied sources throughout an organization’s infrastructure. Everything from endpoints and servers, to applications, network, and security devices, and other security software solutions.
2. Data is normalized and aggregated – Collected data and log files are normalized by reducing the log and event data into simple common event attributes that can be easily used. Aggregation moves data from their disparate sources into a common repository. In some cases, data is sent to the SIEM by the originating system or solution, rather than needing to be aggregated by the SIEM itself.
3. Aggregated data is analyzed– An analysis of the data occurs, comparing aggregated data to pre-defined rules or using machine learning to identify correlated activity that may indicate a potential threat. For example, if a user logs on at an unusual time of day and then generates a significant amount of outbound web traffic, a SIEM solution may identify that as suspicious.
4. Reports and alerts are generated – Regularly scheduled reporting on security-related incidents and events is often a desired output from a SIEM solution. Reports on events such as successful and failed logins, detected malware, and the use of elevated privileges can be automatically generated and distributed to appropriate members of IT and the executive team. Incidents and events that require immediate investigation are sent out as alerts, grabbing the attention of IT teams and providing them with details, so they can respond to potential security issues.
SIEM technology capabilities
While SIEM solutions attempt to differentiate themselves from one another, they all offer the same basic capabilities. In general, you should expect to see the following functionality:
Data aggregation – Log management functionality consolidates data from many sources, including the network, security events, servers and endpoints, databases, and applications.
Correlation – Common attributes among events are established, linking them together to create sequences of events that can indicate threat activity.
Reporting – Both on-demand and scheduled summary reporting is standard, allowing IT and security teams to get consolidated views of security concerns such as user activity, configuration changes, and resource access.
Alerting – Automated analysis of correlated events identifies issues that meet predefined criteria (such as multiple failed attempted logons). Some common categories of SIEM alerts are: user authentication, network attacks, host-level activity, unknown source attacks, web server activity, and log source activity.
Dashboards – The ability to visualize events and data empowers IT and security teams to easily see activity, trends, and patterns, which allows them to identify events that either don’t conform to expected patterns or do not follow a pattern at all.
Retention – Long-term storage of historical event and security information data is necessary for compliance and as part of forensic investigations that tend to occur months after an actual threat action occurs. SIEM solutions can use storage management, data compression, and other technologies and methods to achieve proper long-term retention of event data.
Other capabilities that you should look for when evaluating SIEM solutions include:
Artificial intelligence – The constantly changing face of attacks means it becomes more difficult for human-based forensics and analysis to see threat patterns. SIEM solutions using machine learning can help improve the efficiency and accuracy of identifying suspicious activity.
Threat intelligence integration –These feeds help provide context to identified suspicious events within a SIEM, allowing for better insight into whether an event is malicious or not, so that IT and security teams can make more informed decisions.
Compliance reporting: SIEM solutions can help demonstrate adherence to regulations with data security standards by gathering specific compliance-related data and generating reports that integrate with internal governance and auditing processes designed to provide that an organization is compliant.
User and entity behavior analytics (UEBA) integration – UEBA monitors and analyzes user activity and infrastructural entities such as servers and applications, establishing an activity baseline of users and their interactions with various entities and monitoring them for deviations from this baseline. Integrating SIEM with UEBA allows SIEM solutions to extend the reach beyond security information and events to also include security-related user behavior as a basis for potential threats.
Security orchestration and automated response (SOAR) integration – SIEMs have the potential to spot security events and threats in near-real time. Integration with SOAR solutions allows a SIEM to respond and potentially mitigate low-level attacks without needing to immediately involve IT.
Introducing threat detection and response solutions by AT&T Cybersecurity
AT&T Managed Threat Detection and Response is built on an award-winning unified security management (USM) platform, which combines the essential security capabilities needed for effective threat detection and response in a single pane of glass. Key capabilities include asset discovery, vulnerability assessment, network intrusion detection (NIDS), endpoint detection and response (EDR), and SIEM event correlation and log management.
Our USM platform, which can either be managed in-house or by AT&T Cybersecurity, is fueled with continuously updated threat intelligence from AT&T Alien Labs, providing that your defenses are able to detect emerging and evolving threats. AT&T Alien Labs, the threat intelligence unit of AT&T Cybersecurity, produces timely threat intelligence that is integrated directly into the USM platform in the form of correlation rules and other higher-order detections to automate threat detection.