What is SIEM?
If you’re not a cybersecurity expert, you may be wondering, “What is a SIEM anyway?” SIEM is an acronym for Security Information and Event Management. But what does that mean exactly?
The first, most basic function of any SIEM is to centralize all the security notifications from your various security technologies. Your firewalls, IDS/IPS systems, anti-virus console, wireless access points and Active Directory servers all generate tons of security alerts every day. With a SIEM, you can collect all of these in one place, with one set of reports and one centralized system for generating notifications. This is usually referred to as a “log aggregation” solution, and unfortunately, this is where many SIEM offerings stop.
The second main function of a SIEM is to provide logging and reporting for compliance purposes. For almost every compliance regulation, there are requirements to log user access, track system changes, and monitor adherence to corporate policies. A good SIEM solution makes these tasks MUCH easier by collecting this data from all your systems. Then, when it’s time for an audit or exam, you can generate the appropriate compliance reports and send them to the appropriate people. Of course, your SIEM must have the needed compliance functionality and reports built-in to be effective, but many SIEM offerings don’t.
The third, and probably most important, function of a SIEM is automated cross-correlation and analysis of all the raw event logs from across your entire network. This is where a SIEM looks for hidden cybersecurity issues that would otherwise go unnoticed by combining data from several different sources. In order to perform this correlation and analysis, getting the security logs to the SIEM is certainly important. But security logs by themselves just aren’t enough. Let’s say your SIEM receives an alert from your IDS stating that it has detected a SQL injection attack against one of your servers. Scary, right? These are the types of alerts that you may get woken up in the middle of the night over. That is, assuming you have sequel server! Otherwise, you’re just getting woken up for nothing! Many SIEM offerings don’t take into account what type of server you are running, which leads to a lot of false positives. And too many false positives makes your SIEM effectively useless. A complete SIEM solution understands what the server is, what applications it’s running, and what configuration it has. This intelligent context helps prevent false positives, meaning you only get woken up when you need to take action.
A true comprehensive SIEM solution also gathers full configuration, running applications, and other information from every device to add critical context to events and notifications. This allows the SIEM to notice changes to critical devices such as routers and firewalls – generating notifications when unauthorized changes occur. A full SIEM solution also blends threat intelligence feeds, blacklists, and geolocation data to further increase the accuracy – ensuring notifications are actionable, dramatically reducing false positives. Because let’s face it. False positives mean no sleep. They mean frustration and added cost to your organization. Even worse, false positives mean missed notifications that leave your organization at risk!
It’s also important to understand what a SIEM is not. First a SIEM is not just a log aggregation tool. It is very easy to just collect and store log files, however, this doesn’t give you any visibility into your security posture or help mitigate any threats. Be careful, many so called “SIEM” providers out there are in fact just glorified log aggregators. Second, some people think that their IDS/IPS system does the same thing as a SIEM. Nothing could be further from the truth. An IDS is a single data feed that by itself is littered with false positives and erroneous information. A SIEM takes that information, cross correlates it with other systems data, threat feeds, and configuration information to determine if it really is a threat. Relying solely on an IDS system is like seeing one frame of a movie and thinking you have watched the entire thing.
Machine learning systems can be valuable but they do not replace the need for a SIEM. They are still a single device with a single view of the system and network. The value of a SIEM is in the cross correlation of data from all devices including machine learning devices. In addition, some new ”magic appliances” must be installed in a very specific place on the network or use a network tap so that all the network flows go through the box. That’s fine, but all those traffic flows must be unencrypted in order for the appliance to understand anything. And in most networks today, a lot of traffic is encrypted. Citrix, VPN sessions, and a lot of other traffic is completely hidden from these devices. Not to mention most malware and other tools hackers commonly use have built in encryption to bypass these systems. So while these are great solutions for specific needs, they absolutely do not eliminate or even reduce the need for a SIEM.
Important reasons you need to have a SIEM:
- Gather all your security and event information into a single location to eliminate blind spots
- Detect suspicious behavior without getting bogged down in the mire of false positives.
- Detect problems before they become a breach with accurate analysis and correlation
- Monitor and enforce corporate policies with holistic visibility
- Achieve regulatory compliance including PCI, HIPAA and FFIEC which effectively require you to have a SIEM.
A SIEM is an important component of any comprehensive cybersecurity strategy. If you’re interested in discussing how to enhance your business’s cybersecurity, reach out to us here at My Tampa IT for a complimentary consultation.