Key performance indicators (KPIs) for a cybersecurity program include mean time to detect (MTTD), mean time to respond (MTTR), and mean time to resolve (MTTR). The faster an organization detects, responds, and resolves a security incident, the less impact the incident has on the organization. This is why many organizations leverage SIEM solutions. Understanding what a SIEM is and how to use it effectively can help mature your cybersecurity program.
What is SIEM?
Short for Security Information and Event Management (SIEM), SIEM solutions aggregate security incident and event log data from various sources. Then, they apply analytics so security professionals can engage in real-time threat detection, incident response management, forensic investigations, and audit preparation.
The term SIEM comes from two previous iterations of security tools:
- Security Information Management: long-term storage, analysis, and reporting tools that combined event log management and threat intelligence reports
- Security Event Management: tools that aggregated data specific to security events, including anti-virus, firewalls, and Intrusion Detection Systems (IDS) for responding to incidents
A SIEM helps your Security Operations Center (SOC), which is the team that has to respond to potential threats.
What does a SIEM tool do?
As cybersecurity became more complex, the tools used to detect and respond to threats needed to evolve as well.
Modern SIEM solutions bring together historical data, real-time event log management, and threat intelligence to help identify abnormal activity and potential vulnerabilities that indicate a security incident.
As organizations moved their operations to the cloud, SIEM solutions also needed to aggregate new types of data and leverage new technologies, including integrations with:
- User and Entity Behavior Analytics (UEBA): artificial intelligence (AI) and machine learning (ML) that monitor how people access and use resources to detect abnormal behaviors that might indicate fraud or credential theft
- Security Orchestration and Automation (SOAR): automated incident response technologies that leverage SIEM detection capabilities to mitigate threats faster
- Managed Detection and Response (MDR): outsourced teams who have access to technologies and databases that might be cost-ineffective for a single organization
After collecting the information, the SIEM solution prioritizes the different alerts based on potential impact. By prioritizing data, SIEMs enable organizations to reduce the number of false positives that their security teams need to investigate.
How can organizations benefit from SIEMs?
Deciding to deploy a SIEM can be a huge undertaking for an organization. However, as your company scales, you might find that the benefits more than compensate for the cost.
Better security KPIs
With all data aggregated in a single location, you gain better visibility into your security posture. This means that when an incident occurs, your team can more rapidly find the source and reduce key metrics like time to detect, respond, and remediate.
Increased efficiency
Security teams spend an inordinate amount of time researching alerts that turn out to be false alarms. By aggregating and correlating data, SIEMs reduce the number of false positives. This means that your security team is more efficient, spending their time and expertise on alerts that matter.
Reduced operational costs
Because multiple teams can use the SIEM, you reduce operational costs. Your security team can use a SIEM for threat hunting and research. Your compliance team can use the SIEM for audit reporting. Your IT team can use the SIEM for troubleshooting. Even though the cost might appear high, SIEMs provide cross-functional capabilities that enable greater collaboration.
What capabilities should a SIEM have?
SIEM solutions may vary in their capabilities. However, at the very minimum, they should have these functionalities.
Data aggregation
They should be able to collect and aggregate event log data from all critical systems.
A SIEM should collect data from the following types of information:
- Security event data, including:
- Intrusion detection systems (IDS)
- Endpoint security solutions, like antivirus and antimalware
- Data loss prevention (DLP) tools
- VPNs
- Web filters
- Honeypots
- Firewalls
- Network logs, including:
- Routers
- Switches
- DNS Servers
- Wireless access points
- WAN
- Data transfers
- Private Cloud Networks (VPC)
- Applications and devices, including:
- Application servers
- Databases
- Intranet applications
- Web applications
- Software-as-a-Service (SaaS) applications
- Cloud-hosted servers
- End-user workstations
- Mobile devices, like smartphones and tablets
- Infrastructure
- Configurations
- Location
- Owners
- Network maps
- Vulnerability reports
- Asset inventories
Data normalization
Aggregating information from all these sources only works if the solution can normalize the data. For example, if you have a multi-cloud infrastructure, your AWS and Azure deployments might use different event log formats. For the data to be meaningful, everything needs to be in the same format so that the SIEM can compare them.
Data correlation
In order to detect threats, SIEMs need to link events and data from divergent sources to find patterns that indicate a security incident, threat, or vulnerability. For example, IAM tools might be able to show too many attempted account logins over a short time period. This has no meaning unless additional data, like an end-user device infected with malware, is also present. Bringing these two data sets together makes it easier to track a malicious actor’s attack path.
Analytics
After correlating data, the SIEM needs to help your SOC team prioritize their activities. This is where the analytics help mature your cybersecurity program. Big data and statistical models tie the information together, providing visibility into trends and highlighting abnormal activity. The more robust the analytics, the better the threat detection is.
Alerting
Organizations adopt SIEMs to help them detect threats to enhance response times. When looking for a SIEM, you should consider how the solution lets your security team know that they have to investigate an event, including:
- Security dashboards
- Integrations with collaboration tools
- Integrations with ticketing solutions
Dashboards and visualizations
Security threat information is complex. When organizations say they lack visibility, often they mean that they have a difficult time bringing all the data together in a way that makes it easy to understand. Dashboards and visualizations enable security professionals to review event data and see the same patterns that the SIEM sees, including anomalous data points.
Retention
Unfortunately, security incidents may not be discovered right away. Additionally, some laws require organizations to retain data for a specified time period. This means that security teams need access to historical data as they engage in their forensic investigations. Thus any SIEM should provide access to information and offer data retention capabilities that enable you to meet all research and legal requirements.
Compliance reporting
Nearly every regulation and industry standard require companies to engage in independent audits. Because SIEMs aggregate so much security information, they are a useful source of audit documentation. When looking for a SIEM solution, you want to make sure that it enables you to generate reports and create a single source of documentation to reduce audit costs.
What are the use cases for a SIEM?
SIEMs offer several benefits. They not only enable your SOC team to more rapidly respond to threats, but they also help reduce costs.
Threat hunting
Most security professionals associate SIEMs with threat hunting. Because they provide alerts, they also act as the first point of contact for researching threats. A SIEM gives your SOC team a way to run queries, filter data, and follow patterns. The more data and the easier the SIEM is to use, the faster your threat researchers will be able to remediate the incident.
Forensic analysis
In the aftermath of a security incident, your forensic team will need all the evidence possible. In some cases, an event might have been triggered several days, weeks, or months in the past. This means that your team needs to track the evidence back to the original vulnerability that malicious actors used. Additionally, the forensic analysis also provides visibility into areas where your organization can enhance security, locating potential points of failure or areas that require strengthening.
Compliance
Your SIEM can be used to continuously monitor controls and document compliance activities. For example, more regulations require organizations to notify customers about data breaches within a short time frame after detecting an incident. SIEMs help you document when you detected an incident so that you can prove compliance with these mandates. Some common laws that require monitoring and breach notification, include:
- Health Insurance Portability and Accountability Act (HIPAA)
- European Union (EU) General Data Protection Regulation (GDPR)
- Sarbanes-Oxley Act (SOX)
- Payment Card Industry Data Security Standard (PCI DSS)
What are the types of SIEM deployments?
As IT stacks become more complex, organizations look for different ways to deploy their SIEM solutions. Four basic deployment models exist.
Self-hosted and managed
This is the traditional model where you host the SIEM in your data center. You are responsible for everything. You own the appliance. You also have staff to maintain and manage the SIEM. For organizations that already have a SIEM infrastructure, this is often the best option.
Cloud-based, self-managed
Based in the cloud, you have a managed security services provider (MSSP) who handles data collection, organization, and aggregation. Meanwhile, you focus on correlating and analyzing data to fine-tune alerts and dashboards. Many organizations are moving toward a cloud-based model to leverage the cloud’s elasticity. SIEMs require a lot of data storage capacity, so the cloud is often a good fit for organizations looking to reduce costs.
Self-hosted, dually-managed
Similar to the first option, your organization purchases the software and hardware. However, unlike the first option, your team works with an MSSP to deploy the SIEM. This means that you have a partner to help with event collection, data aggregation, correlation, and analysis. You also have someone who can help you fine-tune your alerts and dashboards. If you have the storage capacity, but you have a staffing issue, then this might be a good option. You can fill in the skills gap by working with an MSSP who has the staffing and knowledge.
SIEM as a Service
With this model, you outsource data collection, aggregation, correlation, and analysis to the MSSP. They also help fine-tune the alerting and dashboards. You manage the security processes that benefit from the SIEM information. This is a good option for organizations that want to leverage cloud-storage and suffer from the cybersecurity skills gap.
SecurityScorecard: Integrate with SIEM for enhanced analytics
SecurityScorecard’s security ratings platform integrates with mission-critical SIEM solutions, including IBM QRadar and Splunk. Our continuous, passive monitoring provides additional insights into security risks, including web application security, endpoint security, network security, and IP reputation.
You can leverage SecurityScorecard’s risk insights to help fine-tune your SIEM’s analytics. Enhance your security posture and mature your program with information by integrating SecurityScorecard with your SIEM to reduce false alerts.
