Security information and event management (SIEM) is a multipurpose security management protocol that combines security information management (SIM) and security event management (SEM). SIEM has recently emerged as the gold standard approach to network security. It uses historical as well as real-time correlation software to keep track of security data logs, allowing you to troubleshoot historical threats as well as to flag new security issues as they occur.
Data logs document any unusual activity that occurs in your network. Because all network activity is collected in the data log, it is one of the most effective tools for detecting threats that may have managed to sneak through your other lines of defense. In addition to identifying, monitoring, recording, and analyzing security events, SIEM as a service should also simplify and automate your data log management, managing network security from a centralized, unified dashboard and offering a comprehensive view of your IT infrastructure’s security. This is much easier, faster, and more efficient than having to check in individually on all your various security services and technologies.
Top SIEM tools, according to IT Central Station users, include Splunk, IBM QRadar, Securonix, Security Analytics, and Devo.
Difference Between SOC and SIEM
SIEM SOC often get grouped together. But while SIEM is a kind of technology that allows security analysts to discover and act on suspected threats, a SOC (security operations center) encompasses not only the technology but also the people and processes involved in monitoring the network, searching for threats, and responding to incidents.
Rather than having their SOC in a dedicated facility, many companies today have virtual SOCs and use part-time staff from their development, security, and operations teams. Some also set up managed or hybrid SOCs, combining in-house staff with expertise and tools from MSSPs (Managed Security Service Providers).
Using the SIEM, SOC analysts monitor around the clock for security incidents and are responsible for responding if one is detected. The SIEM solution is the management tool, providing an additional layer of security to the SOC. You generally will not see a SOC without a SIEM, as SIEM software is a foundational element of SOC. SIEMs are valuable tools, but can have limitations. They will identify, filter, and flag the most serious security events but then it is up to the SOC analysts to determine the priorities and provide the solutions.
Security and technology teams often debate whether SIEM should be handled by an MSSP or in-house. In order to be able to handle SIEM in-house, you need three things:
- The money to invest in the staffing and operational costs.
- The time to invest in reviewing and monitoring data logs, customizing alerts, etc.
- The expertise to implement SIEM into your security program and audit as needed.
If any of these three elements is lacking, it might make more sense to consider going with an MSSP.
SIEM SOC Use Cases
The following are examples of use cases in which SOCs used SIEM as a part of their security operations:
The Payment Card Industry Data Security Standard (PCI DSS) secures credit cardholders’ data from theft and misuse. SIEM SOC can help with PCI compliance through:
a. Perimeter security - monitoring for unauthorized network connections, searching for insecure services and protocols,, and checking traffic flow.
b. Monitoring any event that results in change to user identity/user credentials.
c. Detecting threats in real time
d. Searching for replicates, default credentials, etc. on production and data systems.
e. Collecting system and security logs, auditing and reporting them, and generating compliance reports.
2. Insider Threats
Insider threats are at the root of three out of five security breaches, and can go undetected for months or even years. SIEM SOC can help detect and stop insider threats by:
a. Using behavioral analysis to detect compromised user credentials.
b. Detecting anomalous privilege escalation.
c. Correlating threat intelligence with network traffic to discover malware/compromised user accounts.
d. Combining and analyzing seemingly unrelated events via behavioral analysis to exfiltrate data.
e. Detecting and stopping encryption of large amounts of data, e.g. by ransomware.
f. Using their broad view of multiple systems to detect lateral movement.
3. Advanced Security
Many IoT (Internet of Things) devices are vulnerable to advanced security threats. SIEM SOC can help mitigate these threats in the following ways:
a. Detecting unusual traffic from the organization’s IoT devices, which might be used for a DoS (Denial of Service) attack.
b. Detecting unpatched vulnerabilities, old operating systems, and insecure protocols on IoT devices.
c. Monitoring who has access control and where they connect to; alerting to the presence of an unknown or suspicious source or target.
d. Monitoring unusual data flow, which may signify a transfer of sensitive data.
e. Identifying at-risk devices
f. Identifying suspicious or anomalous behavior of particular devices that might be compromised.