What is SIEM in cyber security?

Overview

SIEM, otherwise known as Security Information and Event Management, is a tool that provides centralized log management and real-time analysis of events unfolding on the entire systems of an organization. Furthermore, it provides you with the utilities required for effective intrusion detection, event correlation, threat intelligence gathering, incident management, and vulnerability management processes. It is a combination of two security modules namely SIM (Security Information Management) and SEM (Security Event Management).

SIEM is a combination of two crucial security modules namely SIM (Security Information Management) and SEM (Security Event Management). The SIM part refers to products and services that provide long-term storage, analysis, and reporting of log information. Whereas the SEM component refers to real-time monitoring and correlation of events. Further, SIEM integrates both and provides the best of the modules.

 

Features of SIEM

SIEM collects data from dissimilar devices deployed across an organization. In the absence of SIEM, handling and analyzing that voluminous data from those devices would have been such a daunting task. However, SIEM simplifies and automates the whole process. Security administrators can then carefully watch incidents as it unfolds and respond appropriately. In fact, it is one of the most important security solutions. It helps you to continuously monitor and evaluate security posture of an organization’s infrastructure. SIEM may have one or more of the following advanced features:

Centralization(Aggregation)

Individual systems and devices of an organization continuously generate log files. Moreover, security administrators may routinely and manually investigate those huge log files for any glimpse of security breaches and incidents. But, it would be difficult endeavor to holistically search and view the security logs of all the systems within an organization manually.

SIEM is one of the crucial tools to bridge that gap and comprehensively automates, orchestrates and centralizes the whole log management process. All systems and devices in the organization will be configured to send a copy of their log data to the central repository for further analysis, protection and storage.

Normalization 

Log files generated by different platforms may not have similar format. These differences in formatting perhaps can make it difficult to search and correlate traffic across systems and devices. Normalization happens when the logs are forwarded to the central repository. That means, we convert data into standardized and uniform format for consistency across all platforms.

Correlation

Once the logs reside on centralized and normalized state, data can be processed to correlate activity across systems and detect potentially suspicious actions. SEIM has correlation and aggregation features to convert that organizational data into useful information. Correlation is a process to discover relationships among the collected data.

Detection 

Unlike other security tools, SIEM has more advanced and sophisticated detection features. It detects each incident and event as it happens based on its severity to the organization.

Alerting

Once we centralize, manage, normalize and analyze log data, alerting those responsible about the detected incident is the next step.  SIEM has advanced features to analyze the data to raise security alerts and leverage responses based on preconfigured rules.

Organizations can deploy and use SIEM solutions on premise datacenters and in cloud environments.