Introduction to SIEM (security information and event management)
Security information and event management (SIEM) is a software system that collects and aggregates data and events from various networking devices and resources across IT infrastructure. At present, the SIEM market value is around $4.2 billion and is expected to grow to $5.5 billion by 2025.
The term SIEM was first used in 2005 by Mark Nicolett and Amrit Williams. SIEM as a concept was proposed by them by combining the concept of security information management (SIM) and security event management (SEM).
Learn Network Security Fundamentals
How SIEM works
A typical SIEM collects and aggregates security data from various networking devices, servers, computers and domain controllers present within the ecosystem. The collected data is stored, aggregated and normalized on which the analytics are applied to detect threats, raise alerts and enable organizations to take suitable steps based on the alert raised.
Thus, SIEM plays a vital role and is an important part of the data security ecosystem since it detects abnormal behavior and traffic flowing in and out of the network. On the flip side, SIEM tools can be resource-consuming, expensive to implement and it is often difficult to remediate problems reported by SIEM.
SIEM use
Following are the main capabilities found in an SIEM:
- Threat detection
- Investigation
- Time to respond
Apart from the above features, other additional features which an SIEM provides are:
- Basic security monitoring
- Advanced threat detection
- Log collection
- Forensics and incident response
- Incident detection
- Notifications and alerts
- Threat response workflow
Top SIEM vendors
Following are the top SIEM available in the market widely used at the corporate level:
- Splunk
- IBM Qradar
- LogRhythm
- SolarWinds Security Event Manager
- Alienvault
- ArcSight
- Datadog
- McAfee ESM
- Securonix
- RSA Netwitness
9 SIEM best practices
Following are the best practices for SIEM implementation:
- Requirement: define monitoring and reporting requirements before deployment.
- Implementation: determine and define the system’s scopes, infrastructure audit targets and verbosity.
- Access control: monitor and log access to critical resources and check whether it's legitimate or not.
- Perimeter defenses: monitor, log and respond to threats, violations and activity and attacks on perimeter defenses.
- Resource integrity: monitor, log and respond to threats, backup processes, violations and vulnerabilities and attacks on network system resources integrity and availability.
- Intrusion detection: monitor, log and respond to incidents related to intrusion detection and system threats.
- Malware defense: monitor, log and respond to threats, violations and activities on malware controls.
- Application defenses: monitor, log and respond to threats, violations and activity about the web, database and more.
- Acceptable use: monitor and report on the key status and issues violations activity regarding the acceptable use of resources and information.
Next-generation SIEM
Next-generation SIEMs engulf automated incident response technology and are much more advanced and more refined than the formal ones. Next-generation SIEMs integrate with IT and other security tools/hardware and provide full security orchestration and automation (SOAR) capabilities.
Examples include:
- Authentication and access management: automatically disable user accounts and reset passwords on active directory
- Cloud infrastructure: disable accounts and stop or destroy instances on AWS/Microsoft Azure
- Email security: delete or quarantine emails, sending email on SMTP email servers and Microsoft Exchange
- Endpoint security: isolate devices from the network and delete and list files or active processes on Linux/Windows/Mac
- Firewalls: block or unblock IPs and domains on firewalls
- Forensics: automatically running virus scans, scanning files and quarantine suspected malware in sandboxes.
- Information technology service management (ITSM): create tickets, change ticket status, add comments to tickets, reassign tickets and close incidents on the ITSM system
Learn Network Security Fundamentals
Trends in SIEM
Following are the top trends impacting the SIEM market:
- The sophistication of cyberattacks and their exponential rise
- Strict security compliances and regulations imposed by governments
- Cloud-based services adoption among SMEs
Sources
SIEM architecture: technology, process and data, Exabeam
What is SIEM? A beginner’s guide, Varonis
Security information and event management market, Market and Markets
Network Security Fundamentals
Learn the fundamentals of networking and how to secure your networks with seven hands-on courses. What you'll learn:- Models and protocols
- Networking best practices
- Wireless and mobile security
- Network security tools
- And more
In this Series
- Introduction to SIEM (security information and event management)
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
