Background: What is SIEM?
Some say Security Incident and Event Management, some say Security Information and Event Management… Wikipedia says…
“The term security information event management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005, describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response. As of November 2014, Mosaic Security Research identified 73 SIEM and log management products.”
In general, what a SIEM solution’s capabilities are as follows: Log Data Aggregation, Log Data Event Correlation, Providing Alerting from those specified events, provides a dashboard to show the metrics one has chosen, supporting compliance and audits through automated data gathering, testing and reporting, Log Data Retention for compliance testing and Incident Response / Forensic Investigations.
Technical Evolution of SIEM
Prior to the evolution of SIEM service offerings, security officers provided log aggregation across desperate system types and simplistic event correlation and log storage, and relied on only known threat signatures to detect attacks. This limited their ability to address zero-day attacks. As virus outbreaks, phishing attacks and other malicious attacks expanded, compliance domains became more specific with regard to systematic data sampling and testing. This required Risk Managers and Auditors to call for more Continuous Controls Monitoring. This led to an evolution of SIEM solutions that provided more reporting capabilities. Then, as data breaches got more and more publicity, and organizations become more reliant on reliability and availability of their systems, being able to perform root-cause analysis more rapidly required the data and power that SIEMs possess. Today, The evolution of SIEM has progressed to capabilities like Deep Packet Inspection to absorb and analyze the rich singular packet data helping to articulate behavioral activities amongst users across their multiple devices (desktop, to tablet, to mobile devices) and the applications and systems the regularly use (which aligns with decommissioning advance persistent threats and sophisticated hacks). Another interesting example is that now that VOIP is commonplace, Voice Centric Visibility or vSIEM has its place in use as well…
“The average large company must triage some 17,000 malware alerts every week, even though only 19% are considered reliable, according to a January 2015 survey, The Cost of Malware Containment, conducted by the Ponemon Institute. Only 4% of the events were eventually investigated by a human analyst, according to the report.”
All of this complicated, almost artificially intelligent software, expensive monitoring computing systems still involved human interaction to implement, monitor and take action against. Well, so do the systems these security tools monitor. Actors (being either bad or good) are using systems to get their job done or try to steal someone else’s information. Interestingly, these SIEM solutions are still only as good as the people and programs managing them and using their powerful analytic capability. All this to say that, not every company can afford to buy SIEM technology, nor should they, they can rent it from vendors and Managed Security Services Providers (either sending their logs to the service provider or the service provider standing up an appliance(s) inside their environment). Just as SIEM technologies have advanced, so have the services being offered supporting them.
The Blend of Services and Technologies
Thus, given the rapid rate of technical change in networking and user connectivity, organizations want to know that their security investments will stop future threats without the need for additional point products. Some SIEMs, can operate as stand-alone replacement to traditional network security solutions or as a complementary overlay to existing security point product deployment. Today’s SIEM solutions and partnering with an MSSP offer the breadth to accommodate detecting sophisticated and advanced threats, as well as large scale distributed malware, and professional services capabilities required to support specific company needs.