SIEM, or Security Information and Event Management collects logs and events, normalizing this data for further analysis that can manifest as visualizations, alerts, searches, reports, and more. Security teams will often use their SIEM as a central dashboard, conducting many of their day-to-day operations out of the platform. Security analysts can use SIEM solutions to take on advanced cybersecurity use cases such as continuous monitoring, threat hunting, and incident investigation and response.
History of SIEM
SIEM has been around for 20+ years and has evolved substantially from its early days as a centralized database. The first iterations of SIEM — which spawned from combined security information management (SIM) and security event management (SEM) approaches — had heavy limitations on scaling, primitive alerting functionality, and scant data correlation capabilities.
Over the years, SIEM technology would advance significantly in these previously underperforming capabilities, while also adding the ability to perform historical lookback on archival data — a helpful function for analysts to gain context on a potential threat.
Now, visualization and integrated workflows are now integral components of SIEM, orienting analysts to priority alerts and facilitating appropriate response actions. Automated detection and response workflows within the SIEM can help a security team with limited bandwidth to more efficiently respond to a large influx of potentially malicious activities.
How does SIEM work?
A SIEM platform works by collecting log and event data produced by these various technologies, and provides security analysts with a comprehensive view of their organization’s IT environment. An effective SIEM will automatically remediate known threats within a system, while surfacing more nuanced situations to help security analysts identify whether further investigation and action is needed.
Devices, networks, servers, apps, systems… an organization’s ecosystem produces a lot of data from daily operations. There’s an abundance of context within this data that can be helpful for keeping the ecosystem secure. That’s where SIEM comes in.
Why is SIEM important?
SIEM is a critical component of any security team. It functions as a centralized hub through which massive amounts of data can be brought together for analysis, unifying the analyst experience by serving as the centralized mission-control base. With SIEM, a security team can identify and defend against threats that may have evaded perimeter security technologies and are active within the organization's ecosystem.
With a modern SIEM that can perform at speed and scale (many legacy SIEM solutions have limitations that prevent this), organizations are provided the following benefits:
Having a single, centralized location from which teams can monitor, continuously analyze, and act within their environment is critical for operating off a single source of truth.
A properly configured SIEM normalizes disparate data types to provide a cohesive snapshot of an organization’s vast IT environment.
Automated threat detection
With a modern SIEM, security practitioners can automate the detection of threats and anomalies, and then quickly query data to investigate a series of events, access historical data for trends or context, and much more.
Through using a SIEM, teams can expose unknown threats with anomaly detection powered by prebuilt machine learning jobs — gaining insight into the entities at highest risk.
Modern SIEM use cases
SIEM can help security teams solve for a variety of mission-critical use cases. Here are several top use cases:
The log data and events created by an organization’s hosts, apps, networks, etc. needs to be collected, stored, and analyzed through a centralized log management platform.
Actively monitoring one’s environment can help analysts detect anomalous trends that may indicate a threat. Monitoring across the environment can include:
- System changes
- Network flow
In addition to detecting sophisticated malware and ransomware attacks, a solution with advanced detection capabilities should be able to alert on:
- Changes in user credentials/privileges
- Anomalous behavior
- Insider threats
- Data exfiltration
The proactive pursuit of threats within one’s IT environment. A mature threat hunting practice requires a fast engine to query across vast amounts of data.
If a security incident has occurred, a coordinated response is necessary to mitigate the breach’s impact.
A mature SIEM should support compliance with applicable mandates and frameworks. Different compliance mandates will vary across industries and regions (e.g., HIPAA for healthcare, GDPR within the EU, etc.). Below are a few compliance mandates a modern SIEM can cover:
- PCI DSS
- SOC 2 / 3
What’s the difference between SIEM and SOAR?
While a SIEM solution provides security teams with a dashboard for visualizations, alerts, and reports to better detect threats, a SOAR (Security Orchestration, Automation, and Response) solution enables teams to standardize and streamline their organization’s response to any detected incidents.
So, while SIEM specializes in detection of threats, SOAR specializes in the organization’s broader response to those threats. In practice, the solutions are merging ever closer.
What is the future of SIEM?
To truly serve as the "single pane of glass" from which security practitioners can integrate with other technologies, SIEM will need to evolve from its traditionally closed-off, "black box" approach. This means security software developed out in the open, where anyone can see what features are working to keep users secure, and what code can be enhanced to protect against emergent threats.
While this may sound counterintuitive (i.e., "why would a cybersecurity vendor expose their code?"), the longstanding position of security vendors to close off their code from the community is an act which itself exposes these security firms to become targets for hackers. One undetected attack on security software can end up exposing thousands of customers to vulnerabilities and intrusions, making untold quantities of sensitive data available to malicious actors. Whether attackers are after financial information, trade secrets, blackmail material, or diplomatic scandals, breaking open one black box means attackers can gain the keys to the kingdom.
At Elastic, we believe the best kind of cybersecurity is open. We look forward to collaborating with our customers and competitors on being the change we want to see, and enabling a better, more open security for all who need it.
Experience Elastic Security for SIEM
Elastic Security for SIEM is the solution of choice for leading organizations worldwide. The solution empowers security teams to establish a holistic view of all the data in their ecosystem and — most importantly — act upon that data at the speed and scale required of the modern enterprise.
Elastic Security for SIEM also seamlessly integrates with other security use cases, including: