SIEM (Security Information and Event Management) is a solution that provides centralized visibility into a company’s IT and OT environments.
SIEM aggregates and uses data in the following ways.
- Capture massive event data from across the enterprise, including on-premise and cloud-based environments
- Perform real-time analysis and aggregate relevant security events into high-priority alerts
- Escalate alerts to the Security
Escalates alerts to the Security Orchestration Automation Response (SOAR) solution and launches the Incident Response Playbook
SIEM helps Security Operations Center (SOC) analysts achieve four key objectives: (1) visibility into the environment, (2) threat detection, (3) investigation of anomalous activity, and (4) escalation of alerts for rapid response to SOAR tools. It is a great tool.
SIEM enables an organization to have the ability to detect threats. If there is no ability to detect threats, the SOC team will not be able to respond to incidents.
Security Information and Event Management (SIEM) technology supports security event collection and analysis (both near real-time and historical) as well as a variety of other Through event and contextual data sources, it supports threat detection, compliance, and security incident management. Core capabilities include extensive log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (e.g., incident management, dashboards, reporting).
https://www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem
What value does SIEM bring to the enterprise
Time is of the essence when it comes to minimizing the impact of security incidents.
According to the Cost of a Data Breach Report 2020, it takes an average of 207 days to identify a breach and 73 days to contain it. The study also analyzed that if a breach is contained in less than 200 days, it will cost an average of $1 million less than if it takes more than 200 days.
That is, the sooner the threat is identified, the better, and that is where SIEM comes in.
SIEM can reduce the time it takes to identify, investigate and respond to security-related incidents and mitigate the business impact of data breaches.
SIEM can also be aligned with regulatory compliance obligations such as GDPR, PCI, SOX, HIPAA, etc., which can significantly reduce legal risk.
The history of SIEM
When SIEM was still in its infancy, security teams collected and analyzed log data. Such log management proved to be inadequate and SIM (Security Information Management), a first generation technology with basic search capabilities, was born.
Security Event Management (SEM), which aggregates and correlates events from multiple security systems, is the second generation of this product.
In 2005, Gartner analysts Amrit T. Williams and Mark Nicolett were the first to use the term “SIEM” in a report on improving vulnerability management.
Williams and Nicolett define SIEM as a technology that “provides real-time event management and historical analysis of security data from a wide range of disparate sources.
Since the advent of SIEMs in 2005, what was once a solution to protect against lone hackers and basic malware through log collection has continued to evolve to detect advanced persistent threats from nation-state attacks and criminal organizations.
The most important innovations in SIEM include integration with threat intelligence feeds, user behavior analysis (UEBA), and the addition of AI and machine learning.
With the addition of SIEM’s seamless integration capabilities, SIEM now provides the SOAR platform with the data to initiate and support investigations.
Four key features of SIEM
This section details the security information and event management capabilities that enable SOCs to achieve the four objectives: visibility, detection, investigation, and escalation to a response platform.
Visibility
SIEM can correlate data across an organization’s attack surface, including users, endpoints, network data, firewall logs, antivirus events, etc. SIEM displays it all in one aggregate, whether on-premise or in the cloud.
In order to respond to cybersecurity incidents, companies on average have deployed more than 45 security solutions and are using 19 different tools.
As more and more enterprises move their infrastructure to the cloud and leverage more and more cloud native services, attackers will also focus their attacks on the cloud.
Enterprises with hybrid and multi-cloud environments are said to be in a stronger security posture if they can correlate data from all platforms with each other in a SIEM.
SIEMs play a critical role in detecting network anomalies, and as ESG’s Jon Oltsik explains in “SIEM and NDR: Better Together,” the combination of SIEMs and NDRs can help security teams improve threat detection and response by combining suspicious network and system-level data into comprehensive security alerts. As Jon Oltsik of ESG explains in “SIEM and NDR: Better Together,” the combination of SIEM and NDR can help security teams improve threat detection and response by combining suspicious network and system level data into comprehensive security alerts.
Threat Detection
Detecting malicious activity and anomalous patterns is much easier when the security team can gather all the data they analyze in one place.
SIEM can be used to detect unknown threats and high-profile exploits such as exploits targeting SolarWinds Orion and Microsoft Exchange.
As attackers become more sophisticated, SIEMs can detect the slightest change in network, user, or system behavior to detect malicious insiders, compromised credentials, or Advanced Persistent Threats (APTs).
Survey
When a threat is detected, SIEM leverages automated investigations and data to conduct further investigations.
These capabilities reduce analyst manual effort and allow analysts to spend more time on valuable activities such as threat discovery and incident response.
In one case, a company reduced an investigation that had taken three hours to three minutes by using AI to reduce false positives.
Efficient threat research is critical, especially in the midst of a skills shortage that is expected to reach 3.5 million cybersecurity workers by 2021.
After the fact
When SIEM detects a potential threat, it notifies the SOC team of the event data in real-time for further investigation.
Manual or automated investigations are initiated on alerts, suspicious events, and incidents discovered by the SIEM. In many cases, SOC teams investigate incidents by leveraging SIEM data as part of a process defined in the SOAR tool playbook.
By using playbooks and guided workflows to standardize detection and response execution, teams can build an immediate and repeatable incident response program.
What kind of cyber attacks can SIEM detect?
Companies will be able to conduct security monitoring against threats across the entire MITRE ATT&CK Chain, and will be able to detect the following cyber-attacks, among others.
Ransomware
Ransomware is expected to be the largest threat type in 2020, accounting for 23% of the incidents investigated in the latest IBM X-Force Threat Intelligence Index.
Criminal organizations like Sodinokibi are said to be making millions of dollars through a combination of ransomware and extortion. The most notable targets of ransomware are industries with low tolerance for business interruptions, such as manufacturing and energy.
SIEM leverages analytics capabilities to identify potential ransomware incidents. This includes connecting to malicious Internet addresses, monitoring for file access anomalies, and abnormal lateral communication (lateral movement).
APT: Targeted Attack
APT is an attack (targeted) carried out by an attacker with advanced capabilities and equipment on a specific target.
This type of attacker tends to operate “low and slow” which makes the threat less visible and harder to detect.
In addition, SIEMs can take advantage of the integration with real-time threat intelligence feeds as it allows SOC teams to focus on critical events and detect the latest signs of compromise (IoCs) before advanced attacks spread.
Anomalous behavior of an inside criminal
An insider threat occurs when a user uses legitimate access to a company’s assets to maliciously or unintentionally cause damage to the business.
Understanding the user, user activity, and user patterns is critical to detecting this threat.
If these behaviors are unusual, we can conclude that a security incident may have occurred.
SIEM can aggregate data about each user from many sources and use that data to create a basic behavioral profile of a particular user.
If a user behaves differently from previous behavior, the SIEM can assign a higher risk value to that user and flag it for further investigation. Often, machine learning is used for user analysis.
Phishing
Phishing was the second most common initial access path identified by IBM Security X-Force in 2020.
A typical attack is to deliver a communication to the victim that appears to be genuine, in order to induce them to click on a malicious attachment or link.
SIEM helps to detect key indicators of phishing such as suspicious email subject lines, potential data leakage, abnormal behavior of incoming and outgoing emails, and communication with known hostile hosts. In addition, SIEM can leverage integrations with endpoint security tools to detect suspicious behavior on the endpoint that is an indication of a phishing attack.
How to choose a SIEM solution
What factors should you consider when evaluating a SIEM: not only the core functionality of the SIEM, but also how the solution can scale with your business, ease of integration, and speed of time-to-value?
We encourage you to consider not only the core functionality, but also how the solution can scale with your business, ease of integration, and speed of time-to-value.
SIEM has traditionally focused on detection, but now we need to extend the traditional SIEM workflow to more tightly coordinate incident detection and response.
SIEM is something that is very useful to SOC teams, but SOC teams also use it for other tools such as EDR and NDR tools. In an ongoing effort to minimize complexity, the security industry as a whole is now beginning to integrate these tools such as SIEM, EDR, and NDR and move to XDR (Extended Detection and Response).
XDR is about extending the visibility of an organization’s network, endpoints and security events.
Some organizations expect SIEM and XDR tools to become more closely aligned and even combined by some vendors for use in their organizations.
Comments