Security information and event management (SIEM) tools collect and aggregate log and event data to help identify and track breaches. They are powerful systems that give enterprise security professionals both insight into what’s happening in their IT environment right now and a track record of relevant events that have happened in the past.
SIEM software (pronounced ‘sim’; the ‘e’ is silent) collects and aggregates log and event data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. A SIEM tool’s goal is to correlate signals in all that data together to provide security teams with the information they need to identify and track breaches and other problems.
The term “SIEM” was actually coined by Gartner analysts in 2005, and they continue to rate the various vendors using their Magic Quadrant methodology. You can see the 2021 installment of the Magic Quadrant for SIEM here. Companies in the “Leaders” quadrant include Splunk, IBM, Exabeam, Securonix, and LogRythm.
SIM vs. SIEM
Before we dive into the details of how SIEM software works, we need to understand two related acronyms: SIM and SEM.
SIM, which stands for security information management, is a tool that provides analysis and reporting for historic security events—with historic here meaning not that these events are part of some epic, important historical event, but merely that they happened in the past. SIM systems grew out of the log management discipline, and work to automate the collection of log data from various security tools and system and surface that information to security managers.
SEM, which stands for security event management, is similar to SIM, although instead of focusing on historic log data, it attempts to work in real time, or as close to it as possible, to identify specific events relevant to security professionals. For instance, if a user somewhere on your network manages to elevate their privileges to admin status in a way that is out of the ordinary, a SEM system should let you know about it.
a SIEM system is simply a tool that combines the functionality of SIM and SEM software. It’s quite rare at this point to find software that offers only SIM or SEM functionality, and SIEM has been the order of the day for a decade or more.
At first blush, it may seem odd that SEM ended up combined with SIM rather than replacing it. The appeal of getting alerts on real-time security events is obvious, and if you can do that, what’s the point of pulling information out of some dusty old log? In fact, much of a security pro’s jobs involves working backwards from real-time alerts to try to figure out what’s happening on your network. Once you get that warning about the user who managed to make themselves an admin, you’ll need to look at the history of that user’s logins and behavior to try to get to the bottom of what’s happening, and you need SIM tools that can quickly find that information for you in your logs.
SIEM software, therefore, has two main objectives:
- provide reports on security-related incidents and events, such as successful and failed logins, malware activity, and other possible malicious activities; and
- send alerts if analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue.
How does SIEM work?
Logs and other data need to be exported from all your security systems into the SIEM platform. This can be achieved by SIEM agents—programs running on your various systems that analyze and export the data into the SIEM; alternately, most security systems have built-in capabilities to export log data to a central server, and your SIEM platform can import it from there.
Which option you take will depend on your network topography and bandwidth capabilities, as well as the types of systems you need to get logs from. The amount of data transmitted and processing power necessary at the end points can degrade the performance of your systems or network if you don’t implement things carefully; SIEM agents at the edge can relieve some of that burden by automatically parsing out some data before even sending it over the network. At any rate, you’ll want to ensure that your entire infrastructure is instrumented for SIEM, both on-prem and in the cloud.
Obviously the amount of data generated by this SIEM instrumentation is huge, more than your staff could possibly parse through. The primary value delivered by SIEM suites is that they apply data analysis to make sure that only useful information gets delivered to your security operations center. These platforms use correlation engines to attempt to connect disparate log entries or other signals that don’t seem worrisome on their own but taken together can spell trouble. These engines, combined with the specific artificial intelligence and machine learning techniques used to sniff out attacks, are what various SIEM vendors use to differentiate their offerings from one another.
SIEM tools also draw information from threat intelligence feeds—basically, updated feeds of data about new forms of malware and the latest advanced persistent threats. Some of these feeds are maintained by the SIEM vendors, but others are open source or internally maintained by security teams at large organizations, and some SIEM platforms allow you to use your favorites. Other customization options include the ability to tightly integrate your SIEM platform with specific security tools.
We noted above that SIEM was initially embraced for its ability to aid regulatory compliance; that’s still an important role for these tools, and many platforms have built-in capabilities that are focused on ensuring and documenting your compliance with various laws and standards. And finally, some SIEM platforms also incorporate SOAR capabilities, which can partially or fully automate responses to the threats they detect.
Top SIEM tools and vendors
How should you evaluate SIEM tools? CSO‘s Tim Ferrill has a great buyer’s guide to the key features and considerations that should inform your choice of a system, including whether it’s cloud or on-prem, analytics capabilities, log ingestion, automated remediation, and role-based access, among others.
Ferrill’s list also looks at some of the top SIEM vendors, which make for a good guide through the landscape of this market segment:
All these different vendors have their own strengths and weaknesses. For instance, Microsoft’s Azure Sentinel offering is only available on Microsoft’s cloud, but easily integrates with Microsoft 365 and Windows Defender. RSA’s platform is built with massive data volume in mind, while Securonix has an open architecture that makes it possible to add a wide variety of third-party analytics plug-ins.
We should take a moment to spotlight Splunk, since it was one of the first software vendors to discover gold in log file analysis. Splunk Enterprise Security draws on the company’s mature data analytics and visualization capabilities to deliver a SIEM solution integrated with threat intelligence and available in the cloud or on prem. IDC maintains that Splunk has the largest SIEM market share.
At this point, you should have a good sense of what SIEM should do for your company. But these platforms aren’t cheap, and that means you need to do all you can to prepare before you roll one out. For instance, SIEM software requires high-quality data for maximum yield. And SIEM technologies are resource intensive and require experienced staff to implement, maintain and fine-tune them—staff that not all organizations have fully invested in yet.