NextGen SIEM 101: What Is SIEM, And Why Do You Need It?

Praveen Yeleswarapu
June 8, 2021

SIEM stands for Security Information and Event Management, a software solution that is designed to collect, collate and analyze activity from a variety of active sources (servers, domain controllers, security systems and devices, networked devices, to name a few) that span your company’s IT infrastructure. 

By analyzing all this stored data, SIEM helps detect threats and uncover trends, thus enabling your organization’s cybersecurity personnel to look into any red flags that may turn up. 

SIEM is a combination of first-generation Security Information Management (SIM) systems that keeps extensive logs and stores massive amounts of data, with Security Event Management (SEM) which is a second-generation system. SEM includes correlation of events, notifications, console views, and real-time monitoring. 

In a nutshell, SIEM is a data aggregator that puts together, stores, and categorizes enormous amounts of data, and makes it accessible for your team to delve into and analyze security breaches in minute detail. It applies statistical techniques and correlation rules to extract useful, actionable information from multiple events’ worth of data and numerous log entries. The system consolidates logs into separate categories to differentiate between successful or failed logins. It detects malware presence and runs port scans to sweep for any attempted cybercriminal activity. 

SIEM provides visual aids such as dashboards to maximize the visibility of an organization’s security system and sends alerts to flag potential issues in real-time. It applies boolean logic rules to raw data to make sense of it. 

Why do you need SIEM?

SIEM helps your Incident Response Team by:

  • Generating alerts based on the analytics that line up with a pre-determined rule set which is indicative of a security breach or issue
  • Performing forensics and reporting on security incidents.

Whereas the primary and most critical capabilities of SIEM are threat detection, threat investigation, and rapid response time, it also performs other functions such as data normalization, threat assessment, and response workflow. 

Central Log data aggregation and visibility

Today, with digitization, the number of logs generating sources have only increased exponentially. That said, irrespective of the size of organization, it is essential from an organization perspective in aggregation and maintenance of logs generated from multiple sources. 

Here are quick examples of log generating sources within an organization: 

  1. Desktops/ Laptops/ Servers/ Virtual Machines/ Thin Clients or any other compute device 
  2. Existing Security Infrastructure (Example: AV Solution, Firewall, Web Proxy, Intrusion detection system Etc)
  3. Network Infrastructure (Example: Switch, Router, Access Points, Load Balancer Etc.)
  4. Cloud/ SaaS Applications (Example: Office 365 Etc)
  5. Cloud Infrastructure (Example: AWS/ Azure/ Digital Ocean/ Google Cloud/ Etc) 
  6. Application Logs (Example: SAP/ Oracle/ Custom App Etc)
  7. Configuration Management systems (Example: Solar Winds Etc)
  8. Active Directory 
  9. Infrastructure Management (Example: Nutanix Etc) 

Today, each component on which you should have a visibility on generates high volume of unstructured data and it is humanly impossible to derive value from such high data volume. 

An SIEM functionality will normalize the data from an unstructured format, enrich the structured data with real time cyber threat intelligence. The enriched log is computed further to check if there are any potential cyber-attack via correlation rules and presented fluidly over a dashboard enabling your security analyst in faster cyber threat detection due to multi data visibility. At the same time, it also enables an analyst in forensic analysis standpoint. 

Enabling Organization’s Compliance & Regulatory requirements

With data being the new oil, data privacy and sovereignty has been a major concern bringing in a plethora of compliance and regulatory requirements/ practices. 

Technically every business vertical/ horizontal today irrespective of the size and revenue needs to meet some form of compliance or regulatory requirement. Majority of these compliance and regulatory requirements from an IT and Data Security standpoint overlap.

Here are quick examples of data insights that are usually a part of audits:

  1. Storage of Log data from multiple log sources (Firewall, Compute devices Etc) 
  2. Authentication Audit data 
  3. Access Insights 
  4. Reports on user/ access audit insight 
  5. Modification of objects 
  6. Database access authentication 
  7. Configuration insights 
  8. Server audit/ authentication insights 

SIEM by design is collecting data insights which act as a baseline in providing the above insights. Since, the logs received into SIEM are stored in a normalized and structured format, real-time reporting and meeting the compliance needs is a easier process enabling streamlining of compliance/ regulation based reporting. 

BluSIEM, specifically, also offers you a varied capability in building custom reports enabling custom audit/ internal audits.

Enhanced Forensics & Efficiency

Today’s cyber attacks are only discovered once the damage has already been done. One of the major reasons is an organization’s viewpoint only to secure crown jewels and ingest limited data insights primarily to save OPEX and complexities around data management.

A next-generation SIEM with Big data and horizontal scalability, and being cloud native will enable your organization to break free from the shackles of OPEX cost and complex data management issues enabling to view the security log data from multiple different log sources in your organization from a single interface. This enables your security team to go back through days/ months/ years of data swiftly and perform detailed forensics at ease. 

Not only does this improve visibility but it also enhances incident management process in multiple ways.

Your security teams which are today completely lost in finding answers to the challenges will be enabled & equipped to fight future threats with ease.

Key benefits of SIEM:

Threat detection

Threat detection, including insider threat identification using a branch of analytics known as UEBA, or, user + entity behavior analytics. For example, it can flag suspicious activity of say, an employee changing permissions without being authorized to, or making repeated attempts to log in somewhere. It can also pinpoint malware- compromised user accounts of individuals within an organization.  It can continually surveil network traffic and perform threat assessment functions. 

Regulatory compliance

Companies are subject to several rules and regulations they are required to be compliant with, by law. The regulatory bodies they are answerable to depends on the nature of the enterprise. For example, health insurance would need to be HIPAA-compliant to protect patient data and uphold privacy laws. SIEM security solutions can monitor traffic along with the network and identify attackers, flag vulnerabilities and detect malware. The data they store can be useful for audits and for generating reports as needed. SIEM can identify new critical systems, monitor access to various files, record changes to credentials, verifies authentication info, and monitors changes to data policies. 

IoT- relevant security features

SIEM provides advanced security solutions that pertain to cyber attacks, data exfiltration, IoT, and connected device security, and sends out alerts to investigate any suspected incidents. It applies threat intelligence and analysis of past incidents to seek out newer attacks. Where the target is not known, SIEM scans network traffic to find large data transfers and the system that is doing it. This capability extends to anomalies indicating such data exfiltration happening over mobile or any other compromised smart devices.

Zero-day threat detection

Zero-day threats pertain to undetected or unaddressed flaws in hardware or software. Once detected, it is a race against time to “patch” the flaw before hackers can exploit the vulnerability, resulting in a zero-day attack. 

SIEM can detect and analyze the behavior associated with a zero-day attack. For instance, an attack via PDF can lead the Adobe Reader functionality to crash. At the back end, a process is generated that links the attack through outbound or inbound connections, and SIEM can be designed to pick up traces of such activity. 

Data for operations and capacity management

Data is of great value in capacity planning. SIEM aggregated data can also help companies track their bandwidth and data accumulation over time to factor into their budget and expansion plans. This helps organizations avoid unnecessary capital expenditures. 

Limitations of SIEM applications

Sometimes it is difficult to differentiate between actual critical data theft and more benign activity, even with SIEM. This is because SIEM flags what it sees as threats without providing context: it is up to the team to sort out exactly what is happening. SIEM falls short in pinpointing relevant information in unstructured data. For example, a SIEM system may flag rising or unusual network activity at a particular IP address. It will not reveal who the user behind it is, or exactly which files the user accessed. 

Similarly, SIEM cannot differentiate between authorized file activity and suspicious activity. This generates a lot of work for the security team to diagnose just what is going on. The number of false alarms and wild goose chases can be high enough to desensitize them, and an actual exploit might go unnoticed.

However, BluSapphire's next-gen SIEM platform is built to mitigate some of these issues with SIEM in general. Please take a look at the BluSapphire Basic solution page to know more.