What is SIEM (Security Information and Event Management)?

What is SIEM?

SIEM, or Security Information and Event Management, is a cybersecurity solution used to detect and respond to threats within an organization. At its core, a SIEM (pronunciation rhymes with "him") collects logs and events, normalizing this data for further analysis that can manifest as visualizations, alerts, searches, reports, and more.

Security analysts can use SIEM solutions to take on advanced cybersecurity use cases such as continuous monitoring, threat hunting, and incident investigation and response.

How does SIEM work?

Devices, networks, servers, apps, systems… an organization's ecosystem produces a lot of data from daily operations. There's an abundance of context within this data that can be helpful for keeping the ecosystem secure. That's where SIEM comes in.

A SIEM platform collects log and event data produced by these various technologies, and provides security analysts with a comprehensive view of their organization's IT environment. An effective SIEM will automatically remediate known threats within a system, while surfacing more nuanced situations to help security analysts identify whether further investigation and action is needed.

Why is SIEM important?

SIEM is a critical component of any security team. It functions as a centralized hub through which massive amounts of data can be brought together for analysis, unifying the analyst experience by serving as the centralized mission-control base. With SIEM, a security team can identify and defend against threats that may have evaded perimeter security technologies and are active within the organization's ecosystem.

What are the benefits of SIEM?

With a modern SIEM that can perform at speed and scale (many legacy SIEM solutions have limitations that prevent this), organizations are provided a single platform from which they can monitor, continuously analyze, and act within their environment. A properly configured SIEM normalizes disparate data types to provide a unified narrative of an organization's vast IT environment. With a modern SIEM, security practitioners can automate the detection of threats and anomalies, and then quickly query data to investigate a series of events, access historical data for trends or context, and much more.

Modern SIEM use cases

SIEM can help security teams solve for a variety of mission-critical use cases. Here are several top use cases:

  • Log management
    The log data and events created by an organization's hosts, apps, networks, etc. needs to be collected, stored, and analyzed through a centralized log management platform.
  • Continuous monitoring
    Active monitoring of one's environment can help analysts detect anomalous trends that may indicate a threat. Monitoring across the environment can include:
    • System changes
    • Uptime/downtime
    • Network flow
  • Advanced detection
    In addition to detecting sophisticated malware and ransomware attacks, a solution with advanced detection capabilities should be able to alert on:
    • Changes in user credentials/privileges
    • Anomalous behavior
    • Insider threats
    • Data exfiltration
  • Threat hunting
    The proactive pursuit of threats within one's IT environment. A mature threat hunting practice requires a fast engine to query across vast amounts of data.
  • Incident response
    If a security incident has occurred, a coordinated response is necessary to mitigate the breach's impact.
  • Compliance
    A mature SIEM should support compliance with applicable mandates and frameworks. Different compliance mandates will vary across industries and regions (e.g., HIPAA for healthcare, GDPR within the EU, etc.). Below are a few compliance mandates a modern SIEM can cover:
    • GDPR
    • HIPAA
    • SOX
    • PCI DSS
    • SOC 2 / 3
    • ISO/IEC

History of SIEM

SIEM has been around for 20+ years and has evolved substantially from its early days as a centralized database. The first iterations of SIEM — which spawned from combined security information management (SIM) and security event management (SEM) approaches — had heavy limitations on scaling, primitive alerting functionality, and scant data correlation capabilities.

Over the years, SIEM technology would advance significantly in these previously underperforming capabilities, while also adding the ability to perform historical lookback on archival data — a helpful function for analysts to gain context on a potential threat.

Now, visualization and integrated workflows are now integral components of SIEM, orienting analysts to priority alerts and facilitating appropriate response actions. Automated detection and response workflows within the SIEM can help a security team with limited bandwidth to more efficiently respond to a large influx of potentially malicious activities.

What is the future of SIEM?

To truly serve as the "single pane of glass" from which security practitioners can integrate with other technologies, SIEM will need to evolve from its traditionally closed-off, "black box" approach. This means security software developed out in the open, where anyone can see what features are working to keep users secure, and what code can be enhanced to protect against emergent threats.

While this may sound counterintuitive (i.e., "why would a cybersecurity vendor expose their code?"), the longstanding position of security vendors to close off their code from the community is an act which itself exposes these security firms to become targets for hackers. One undetected attack on security software can end up exposing thousands of customers to vulnerabilities and intrusions, making untold quantities of sensitive data available to malicious actors. Whether attackers are after financial information, trade secrets, blackmail material, or diplomatic scandals, breaking open one black box means attackers can gain the keys to the kingdom.

At Elastic, we believe the best kind of cybersecurity is open. We look forward to collaborating with our customers and competitors on being the change we want to see, and enabling a better, more open security for all who need it.

Experience Elastic Security for SIEM

Easily prevent, detect, and respond to threats with Elastic SIEM — ready for download or hosted in Elastic Cloud.

Explore Elastic SIEM