By: Nihad Hassan
May 19, 2021
What is SIEM? Security Solutions and Other Functions
By: Nihad Hassan
May 19, 2021
The digital revolution is changing everything around us. Nowadays, people utilize the internet to work, study, socialize, shop, bank, and relax, to name a few. In the business world, the internet significantly changed how companies bought, sold, interacted, and more. The concept of digital transformation is becoming more widely adopted after being a hot-debated topic for years. With the ongoing migration to digital technologies and the recent shift of many people working from home, more organizations today are at increased vulnerability to cyberattacks.
Cybercrimes are nothing new; however, what intensifies them in recent years is the proliferation of the internet, increased automation in businesses, remote working, and the increased reliance on technology in daily life. According to Cybersecurity Ventures, the projected global cybercrime cost is $10.5 trillion annually by 2025. The astronomical number of cybercrime costs has encouraged organizations to increase their spending on IT security solutions. IDC estimates worldwide security spending to exceed $151 billion by 2023, growing at a healthy five-year CAGR of 9.4%.
The increased number of cyberattacks forced organizations to deploy many security solutions to counter cyberattacks and prevent potential damages. Security solutions like Firewalls, Intrusion Detection Systems (IDS), Intrusion Protection Systems (IPS), antivirus, anti-malware, anti-spam are deployed heavily to protect computer network endpoint devices. However, the increased number of security solutions and appliances has resulted in a high volume of logs. For instance, each security solution will generate a security log that needs to be analyzed to discover any security issue. Monitoring many solutions' logs are daunting tasks and cannot be achieved manually by humans. To address this limited scalability, SIEM solutions help solve this problem.
SIEM solutions are an essential element of the data security ecosystem: they gather log data from multiple systems and analyze it to discover abnormal behavior that can signify a potential cyberattack. SIEM solutions provide a central place where all security events and alerts are gathered to enable security administrators to analyze them using one dashboard and act upon them.
SIEM is composed of two components:
Security event management (SEM): Analyze log data and other security-related events that happened within the IT environment, system, or application in real-time, and report back to security administrators to adjust the related security architecture and policies accordingly.
Security information management (SIM): This is a software solution that automates collecting event log data from security programs and appliances such as firewalls, proxies, IDS/IPS, servers, domain controllers, and antivirus programs then the gathered data is simplified.
How does SIEM work?
SIEM solutions work by gathering log and event data from various networking devices and applications and displaying them in a centralized platform. The collected log data is categorized: failed login attempts, suspicious malware activity, etc. When the SIEM detects suspicious behaviors while monitoring the network traffic based on predetermined rules, it will fire an alert and notify the IT security administrator.
For example, suppose there are 20 failed login attempts within one minute, such behaviors are suspicious, and SIEM will consider it a hacking attempt. The SIEM detection process works as follows:
- Gather data from various sources
- Aggregate collected data
- Analyze data to detect threats
- Specify security breaches so that an organization can investigate security alerts
SIEM solutions have a range of security capabilities; when used correctly, they provide comprehensive protection for its IT environment. For instance, SIEM solutions provide complete visibility over all installed IT devices and programs in a network; this allows IT administrators to know what is happening in their network in detail. In general, SIEM solutions offers the following standard capabilities:
- Threat Detection
- Time to respond
There are different SIEM solutions on the market; some offer other functionalities:
- Basic network security monitoring
- Threat detection
- Forensics & incident response
- Log Gathering
- Alerts and notifications
- Security incident detection
- Threat response workflow
The threat detection components of the SIEM allow organizations to detect cyber threats in network traffic, emails, cloud assets, and endpoint devices. It can monitor each user activity (user behavior analytics) and detect any abnormal activity that may indicate a threat.
When the SIEM solution detects a threat, vulnerability, or suspicious behavior, it will send an alert to notify the security team. Some solutions contain a workflow management function to facilitate conducting forensic investigations. Many SIEM tools allow administrators to customize their alerts according to their needs.
Aside from using SIEM tools to detect threats and analyze log data, organizations use it heavily to show they are compliant with various regulations like GDPR, PCI DSS, and HIPAA.
Most organizations now use SIEM solutions to detect and prevent different types of internal and external threats. Many organizations utilize SIEM for other purposes, regarding compliance with various legal standards or for capacity management. SIEM gives accurate statistics about bandwidth usage and data growth, allowing an organization to plan future growth more accurately without having extraneous IT expenditures.