What is SIEM?

History

SIM and SEM

SIM and SEM

Information technology security in the 1990’s was heavily focused on protecting the perimeter. Early security information and event management (SIEM) solutions developed during this time were basic and came as either a security information management (SIM) or security event management (SEM) solution. They were largely available as appliances that had to be deployed on-premises in your data center. This limited your ability to scale, because adding more capacity required buying more equipment from vendors.

Early solutions were also built on proprietary data bases that locked customers into one vendor’s technology. If you wanted to move your data to another system, the process was long and complicated. Connectors, if they were available, had to be heavily customized. Storage was more expensive, so only the most valuable data was collected.

Even if you got all the data you needed into your solution, searching and alerting was rudimentary and depended on knowledgeable security analysts to research, understand, and interpret what they found in the data.

SIEM

SIEM

As data became cheaper and technology more powerful, SIEMs became better able to ingest, process, and store data. SIEMs were now able to use signature-based alerts to find threats in your data. However, signature-based alerts can only find known alerts, and you needed to know the indicators of compromise (IOC) for a threat before you could find it. Threat intelligence feeds were created by various companies and organizations to share relevant IOC data.

For all the benefits, there were also serious drawbacks to this generation of SIEMs. They had a very limited capability to discover zero-day or unknown threats. For example, you could write a rule such as, ‘give an alert if a user enters 10 wrong passwords in a row.’ In theory this could be used to detect brute force password attacks. However, what if the attacker only tried 9 passwords in a row? Or what if you had a very forgetful user? Signature-based attempts to find unknown threats inevitably generated a lot of noise and not a lot of value. It doesn’t help that for many legacy SIEMs, the more rules you had running, the slower your system ran. With the rapid proliferation of threats these days, legacy SIEMs have become completely overwhelmed.

Next-Generation

Next-Generation SIEM

Built on a big data platform that provides unlimited scalability and built in the cloud, for the cloud. A next-generation SIEM includes log management, behavior analytics-based advanced threat detection, and automated incident response all on a single platform.

Evolution of Features and Capabilities

Early SIEM SIM/SEM SIEM Next-Generation SIEM
Deployment On-Premises On-Premises SaaS
Form Factor Appliance with Proprietary Technology Appliance or on Your Own Hardware Cloud
Scalability Severely Limited Limited Unlimited
Data Storage Proprietary Database Proprietary Database Open Source / Big Data
Solution Management Requires Many Trained and Skilled Professionals to Manage and Run Requires Many Trained and Skilled Professionals to Manage and Run Solution is Managed for You
Alerts are Prioritized According to Risk Level
Log Management Yes Yes Yes
Analytics for Threat Detection Primarily Search-Based Basic, Signature-Based Alerts Find Known Threats and Are Prone to False Positives Machine Learning and Advanced Analytics Find Unknown Threats and Reduce False Positives
Security for Cloud Applications and Infrastructure No Extremely Limited Security in the Cloud, for the Cloud
Threat Hunting No Manual Yes
Reports and Compliance Limited Manual Yes
Incident Response No Manual Yes
Security Orchestration No Manual Yes

How Does it Work?

Collect Data

Most SIEM solutions collect data from across the organization using agents installed on various devices including endpoints, servers, network equipment, and other security solutions, such as firewalls or other network security appliances.

Next-generation SIEM includes support for cloud applications and infrastructure, enterprise applications, identity and HR data, and non-technical data feeds.

Collect Data
Enrich Data

Enrich Data

Enrichment adds additional context to an event. A SIEM will enrich the data with identity, asset, geolocation, and threat intelligence. This helps fill in needed context that is critical for a SIEM to correlate events and find threats.

Store Data

Security data will then be stored in a database so it can be searched through and referenced during investigations. Sometimes only enriched data is stored, but sometimes the unenriched data is stored as well. It depends what is required.

Next-generation SIEM leverages open source, big data architectures and take advantage of their unlimited scalability.

Store Data
Apply Correlation and Analytics

Apply Correlation and Analytics

SIEM solutions use different techniques to draw usable conclusions from the data in the SIEM. These techniques vary widely. Legacy SIEMs rely on simple correlation and signature-based alerts. While these are better than nothing, they are very prone to error and produce a lot of noise in the form of false positives.

A next-generation SIEM uses next-generation analytic techniques. The specific techniques used can vary widely between SIEMs. Many SIEMs apply sophisticated machine learning algorithms (also sometimes referred to as artificial intelligence) to event data to more accurately detect threats. User and entity behavioral analytics (UEBA) have also been integrated into SIEMs to provide better detection. Another new technique used by SIEMs are threat chain models, which are used to stitch together connected alerts in order to surface the highest risk events.

Provide Data Insights and Reporting

A SIEM, especially a next-generation SIEM gives you the ability to search your data quickly, allowing you to dig into alerts and search for threat actors and indicators of compromise. You can also pivot on any entity in order to develop valuable threat context and get a full 360 view of the attack. Visualized data can be saved as dashboards or exported in a standard data format. You can also use out of the box reports or create ad-hoc reports as needed.

Provide Data Insights and Reporting

What is a SIEM Used For?

Threat Hunting and Investigation

The ability to perform threat hunting on your SIEM is critical to understand the true patterns of access- and activity-based attacks and data breaches. By developing a detailed and contextual view of the attack vector, security analysts can more easily develop policies, countermeasures, and incident response processes to help mitigate and ultimately remove the threat.

Effective threat hunting is enabled by blazing-fast search capabilities and the ability to search for threat actors or indicators of compromise by pivoting on an entity in order to develop valuable threat context.

By creating a 360-degree view of user access and activity behavior, threat hunters can identify the potential for abnormal activity, but also help investigate incidents through detailed analysis techniques, reporting, and contextual data.

Threat Hunting and Investigation
Incident Response and Case Management

Incident Response and Case Management

Effective incident response is crucial in order to respond to incidents quicker and decrease dwell time. In order to do this, a SIEM provides built-in incident response playbooks with configurable automated actions. Comprehensive incident management and workflow capabilities also allow multiple teams to collaborate on an investigation as needed. A SIEM will also be capable of integrating with third-party security orchestration and case management solutions in case you prefer them.

Next-generation SIEM comes with an artificial intelligence-based recommendation engine that can suggest remediation actions based on analysts’ previous behavior patterns.

Insider Threat Detection

The reason that insider threats are such a big problem is because these attackers don’t need to penetrate your perimeter, they’re already in it. They can be your employees, contractors, or business associates. They might be doing it maliciously, or their account might have been compromised by external attackers, giving the attackers inside access to your infrastructure and data.

With either type of insider threat, the perpetrator wants to remain in stealth mode sniffing and collecting sensitive data to exfiltrate. The attacker is looking for information such as your customer’s private records, credit card data, research and development designs, business strategy, and other business-sensitive information. If compromised, this information could cause considerable damage to your company, its place in the industry, and its relationship with consumers or investors.

Legacy SIEMs generally struggle to detect insider threats.

Next-generation SIEM provides innovative, behavior-based analytics techniques that, in conjunction with peer group analysis techniques, detect variations in normal patterns for access and usage of internal data sources. By comparing not only historical usage, but usage of colleagues and team members, next-generation SIEMs are able to remove the noise associated with incremental changes in user behavior.

Insider Threat Detection
Cyber Threat Detection

Cyber Threat Detection

Odds are, your organization has at least one repository of sensitive data, whether it’s credit card, customer personal data, employee confidential data, research and development innovations, business strategies, sales proposals, and even internal memos and emails. Cyber criminals thrive on looting this data for financial gains. Many breaches have started with a simple phishing email to a target in an organization. Simply clicking on a phishing email can leave harmful software code behind, lurking in the organization’s network seeking valuable data for exfiltration.

A SIEM will allow you to monitor for advanced cyber threat patterns such as phishing, beaconing, and lateral movement.

Cloud Security

With the rapid increase of the adoption of cloud technologies, more and more data is being moved to the cloud. Some of the key security concerns with adoption of cloud technologies include how to identify unauthorized activities, privilege misuse or compromise, unauthorized data sharing, and data exfiltration.

Legacy, on-premises SIEMs were created before the cloud, and struggle to monitor cloud infrastructure and applications for misuse and data theft.

Next-generation SIEM allows you to extend seamless security monitoring across your cloud environment without needing to rely on on-premises solutions that were not designed for the cloud. Deployed in the cloud, to protect the cloud, next-generation SIEMs can analyze user entitlements and events to look for malicious activity in all major cloud infrastructure and application technologies. You can eliminate your security blind spots when you can correlate between on-premises data and cloud data to analyze end-to-end activities and detect actionable threat patterns.

Cloud Security
Security Operations

Security Operations

A security operations center (SOC) is the central hub that runs an organization’s security infrastructure, monitoring for and responding to threats in a coordinated manner. At the core of the SOC is the next-generation SIEM. Unlike legacy SIEMs with their proprietary databases, its big data platform is capable of ingesting up to hundreds of terabytes per day, with economical long-term data retention. With an open data model, you can maintain a single copy of your security data and make it available to other security applications as needed instead of paying for multiple copies in multiple databases. The SIEM can use advanced analytics to find complex threats with minimal noise and provide incident response frameworks the enable you to automate remediation actions on select threats. Threat hunters can use a SIEM to hunt for threats hiding in your data, or to investigate and drill down deeper into alerts.

Maintain Compliance

For many industries, adhering to compliance standards is critical. A SIEM can help by providing reports that allow you to use compliance-centric views to visualize your log data. Built-in packages that cover all the major mandates, including PCI DSS, SOX, HIPAA, FISMA, and ISO 27001, are a standard feature of SIEMs as well.

Maintain Compliance

Forward to

Chapter 2: Next-Generation SIEM

(Coming Soon)