What is a Security Information and Event Management (SIEM)?
A SIEM is a solution that ingests and analyzes log and event data from disparate sources within an IT infrastructure. It grants organizations the ability to engage in real-time monitoring of their infrastructure, enabling them to detect and respond to security threats as they occur. Using various algorithms, SIEM solutions correlate collected data to identify patterns related to cybersecurity threats. Additionally, they help maintain compliance with various regulatory requirements organizations adhere to.
While this is a general explanation of what SIEM is, it is not an exhaustive list of the capabilities of SIEM solutions. There are visualizations, incident response, digital forensics, automation (SOAR), and more that can be found within a SIEM.
Choosing the Right SIEM (Core Considerations)
Every organization has unique needs, budgets, and personnel, all of which can determine which SIEM is right for your organization. At the end of the day, the solution should be able to effectively detect cybersecurity threats and provide insight into the breadth and scope of security incidents. However, there are some core considerations that are universal when evaluating a SIEM solution. Here they are:
1. Storage & Retention:
Devices can generate thousands of logs or more per day. These logs need to be ingested, processed, and retained. Organizations should identify high-value log sources, understand their log outputs, integration potential, and then deliberately onboard said sources. I could delve into architectural design specifics, but that should be an article in itself as there are many considerations and approaches. Ultimately, it is important to understand how ingress and egress traffic flows traverse your network and security stack and pinpoint the places where log data paints the clearest picture. Narrowing down ingestion also optimizes retention, allowing you to retain data that contains the most value while ensuring you are meeting applicable compliance requirements.
This one is important, very important. SIEM solutions require constant maintenance and need to continually mature their ruleset (aka use-cases) to keep pace with cybersecurity threats. Not having human resources that are proficient in the chosen SIEM will likely result in a solution that is not functioning optimally, in turn creating blind spots, event noise, false positives, and more. If a lack of expertise is a problem, an organization might want to consider a Managed Security Service Provider (MSSP) to fill the skill gap. Keep in mind there still needs to be someone knowledgeable within the organization to ensure MSSPs are delivering as expected.
The more your tools play together, the more effective your security operation will be. Good integration provides more context to data being ingested and allows higher levels of data correlation. For example, ingesting vulnerability data can allow a security operations team to gauge how a specific attack detected can affect the overall environment by identifying all the devices that carry the vulnerability being exploited. Lack of vulnerability data, in this example, would make it harder to understand the overall security posture.
4. Security Automation, Orchestration & Response (SOAR):
Ideally, we don’t want our security staff spending time on mundane tasks and low-level security events. You should attempt to employ a SIEM that can alleviate some of this burden by autonomously taking actions when necessary. A brute-force attempt that exceeds a specified threshold should trigger an action such as an account disablement followed by a notification to the administrator. This is a more immediate response to a security threat and allows a human to review the need and accuracy of the action and determine the next steps required.
I could go into greater specifics on how to deploy a SIEM (properly) and which ones are better than others. I think it’s more prudent for me to give you a baseline understanding and the key things one should consider. SIEMs can become complicated, but if you can start with the core considerations I provided, you’ll establish a very solid foundation and gain greater visibility into your infrastructure.
About the Author: Al Lyle (LinkedIn)
With over two decades in the IT and cybersecurity realm, Al Lyle stands as a seasoned veteran in the field. As the proud owner of Cyberpacket Technology Consulting, Al boasts an impressive array of credentials, including CISSP and C|EH certifications.
Al’s commitment to the world of cybersecurity and IT is not limited to the professional arena alone. He has imparted knowledge at the university level, teaching online undergraduate courses further nurturing the next generation of cyber professionals.
Holding a Master of Science in Information Technology with a focus on Information Assurance, Al’s expertise goes beyond just knowledge; it’s about application. He has held pivotal roles in IT and Cybersecurity Management. Moreover, his technical acumen shines through in his time served in Security Engineering, Security Operations, Digital Forensics, Cyber Threat Intelligence, and Vulnerability Management roles at a senior technical level.
Additionally, Al is the author of the book “Cybersecurity Simplified: In Less Than 100 Pages”, aiming to break down cybersecurity topics for readers of all backgrounds.
When it comes to cybersecurity, Al Lyle is more than just a professional — he’s a dedicated advocate, educator, and leader.