Our cybersecurity expert, Erin, walks through what a Security Information and Event Management (SIEM) is.
Hi, I’m Erin. If you’re not a cybersecurity expert, you may be wondering, “What is a SIEM anyway?” Well, I’m glad you asked! In this video, I’m going to explain what a SIEM is – and what it’s not – so you can see just how important this technology is for cybersecurity and compliance. SIEM stands for Security Information and Event Management. But what does that even mean?
The first, most basic function of any SIEM is to centralize all the security notifications from your various security technologies. Your firewalls, IDS/IPS systems, anti-virus console, wireless access points and Active Directory servers all generate tons of security alerts every day. With a SIEM, you can collect all of these in one place, with one set of reports and one centralized system for generating notifications. We usually refer to this as a “log aggregation” solution, and unfortunately, this is where many SIEM offerings stop.
The second main function of a SIEM is to provide logging and reporting for compliance purposes. For almost every compliance regulation, there are requirements to log user access, track system changes, and monitor adherence to corporate policies. A good SIEM solution makes these tasks MUCH easier by collecting this data from all your systems. Then, when it’s time for an audit or exam, you can SIEMply generate the appropriate compliance reports and send them to the appropriate people. Of course, your SIEM must have the needed compliance functionality and reports built-in to be effective, but many SIEM offerings don’t.
The third, and probably most important, function of a SIEM is automated cross-correlation and analysis of all the raw event logs from across your entire network. This is where a SIEM looks for hidden cybersecurity issues that would otherwise go unnoticed by combining data from several different sources. In order to perform this correlation and analysis, getting the security logs to the SIEM is certainly important. But security logs by themselves just aren’t enough. Let’s say your SIEM receives an alert from your IDS stating that it has detected a SQL injection attack against one of your servers. Scary right. These are the types of alerts that you may get woken up in the middle of the night over. That is, assuming you have sequel server! Otherwise, you’re just getting woken up for nothing! Many SIEM offerings don’t take into account what type of server you are running, which leads to a lot of false positives. And a lot of false positives makes your SIEM effectively useless. See, a complete SIEM solution understands what the server is, what applications it’s running, and what configuration it has. This intelligent context helps prevent false positives, meaning you only get woken up when you need to take action.
In contrast, a true SIEM solution also gather the full configuration, running applications, and other information from every device to add critical context to the events and notifications. This allows the SIEM to notice changes to critical devices such as routers and firewalls – generating notifications when unauthorized changes occur. A full SIEM solution also blends threat intelligence feeds, blacklists, and geolocation data to further increase the accuracy – ensuring notifications are actionable and dramatically reducing false positives. Because let’s face it. False positives mean no sleep. They mean frustration and added cost to your organization. Even worse, false positives mean missed notifications that leave your organization at risk!
What’s not a SIEM
Let’s talk for a moment about what a SIEM is not. First, a SIEM is not just a log aggregation tool. It is very easy to just collect and store log files, however, this doesn’t give you any visibility into your security posture or help mitigate any threats. Be careful, many so called “SIEM” providers out there are in fact just glorified log aggregators. Second, some people think that their IDS/IPS system does the same thing as a SIEM. Nope! And an IDS is a single data feed that by itself is littered with false positives and erroneous information. A SIEM takes that information, cross correlates it with other systems data, other threat feeds and configuration information to determine if it really is a threat. Relying solely on an IDS system is like seeing one frame of a movie and thinking you have watched the entire thing.
Machine learning systems can be valuable but they do not replace the need for a SIEM. They are still a single device with a single view of the system and network. The value of a SIEM is in the cross correlation of data from all devices including machine learning devices. In addition, some new ”magic appliances” must be installed in a very specific place on the network or use a network tap so that all the network flows go through the box. That’s fine, but all those traffic flows must be unencrypted in order for the appliance to understand anything. And in most networks today, a lot of traffic is encrypted. Citrix, VPN sessions, and a lot of other traffic is completely hidden from these devices. Not to mention most malware and other tools hackers commonly use have built in encryption to bypass these systems. So while these are great solutions for specific needs, they absolutely do not eliminate or even reduce the need for a SIEM.
There are many important reasons you need to have a SIEM. First, to eliminate blind spots you need to gather all your security and event information into a single location. Detect suspicious behavior without getting bogged down in the mire of false positives. Accurate analysis and correlation allow you to detect problems before they become a breach. Holistic visibility through a SIEM allows you to monitor and enforce corporate policies. Lastly, regulatory requirements including PCI, HIPAA and FFIEC effectively require you to have a SIEM. So a SIEM is a needed tool for both best practices as well as regulatory compliance.