How Does a SIEM Work

Posted by on / 0 Comments

Our cybersecurity expert, Erin, walks through how a Security Information and Event Management (SIEM) works.

SIEM stands for Security Information and Event Management. In other videos I’ve described how what every organization needs is timely, accurate security events notifying the right people as soon as possible. That is the purpose of a SIEM. But lets get into the sausage making and see how all this works. What you need is actionable, timely notification of critical alerts but with millions of events coming in every day, that can be challenging. To manage this we created a process we call ERIN. And you guessed it! That is where my name comes from. The E in Erin stands for events. You need to collect all the raw event logs from all the important devices on your network. This would certainly include the edge based devices such as your Firewall, IDS or UTM devices. But it also includes routers, Wireless access points, and servers, especially Active Directory servers. In other words, meaningful Events!

But that is just the beginning. We then apply rules to the events that come in and cross-correlate those with threat intelligence feeds, blacklists, configuration information, change tracking, and geolocation data. So the R in Erin stands for Rules. There are hundreds and hundreds of rules in the system. Rules count events over time, are monitoring thresholds, and apply specific criteria to event data to find actionable threats. We customize the ruleset to your networks specific device types and against an established traffic baseline. We tune these rules continually based on changes to the threat landscape and changes to the environment as well as apply new rules based on new threats. We tune these rules, and create brand new ones, continually based on new threats and changes to your environment.

When rules fire, they create Incidents. Incidents are rated based on a criticality setting that is also custom tuned for your environment. Based on the criticality, an incident may be simply logged, it may be written to a report to be viewed later, or it may require immediate attention. As you can imagine, some incidents are interesting, which belong on a report. Other incidents require action, which means they should generate an immediate notification.

A custom notification policy is then followed to ensure the right person or teams get the information immediately. Notifications can be made 24 7 365 allowing individuals to remediate issues before they escalate out of control. These notifications can be sent via email or direct API into the ticketing system. We even include special text called remediation guidance that tells the support team what they can do to fix the issue. The support team gets instant notification of a problem and the information they need to quickly respond and fix it.

So our ERIN process takes in millions of events, cross-correlates and analyzes the data with a ton of other data, creates prioritized incidents, and then generate notifications on actionable incidents that get sent to the proper team immediately.