As the frequency and severity of data breaches continues to increase, and users become more concerned about privacy and the security of their personal information, organizations must continually improve their systems to protect networks and keep sensitive data safe.
Security information and event management (SIEM) tools are used to help enable just that—gathering critical machine-generated data, measuring threats, generating alerts and supporting IT security personnel with aggregations, charts and dashboards to highlight and prioritize events or deficiencies.
But as with all modern technologies, these tools are easy to underutilize or outright misuse. And the landscape is always changing, meaning that next-generation solutions to data security problems should always be under consideration. Traditional SIEM solutions are often limited by the sheer size of information needed for good results, as well as computational requirements and the people-power needed to process and use relevant data.
What is SIEM?
SIEM is the set of methods and tools used to turn available data into actionable security information, both for reacting to potential threats or cyberattacks and for effectively shaping security policy.
SIEM tools source data from automatic log systems, built-in reporting and stream events, such as alerts generated by firewalls or anti-virus software. This data is cleaned, aggregated, filtered and fed into systems that use advanced machine learning and statistical methods to detect abnormal behavior and inform IT employees on the highest-priority issues.
SIEM ultimately provides a central location for gathering security data from an organization’s entire IT infrastructure. All this information can then be used to manage incidents in real time, explore past problems in detail, and create paper trails and documentation for audits or data compliance requirements.
These tools are important, as the vast, highly granular data provided by networked software and application backends is impossible to sift through and correlate by hand. Meanwhile, enterprise security divisions continue to be severely understaffed and need as much help as they can get.
How does SIEM work?
SIEM is primarily used in a security operations center, the physical (or virtual) location where all security issues are dealt with by employees. This typically includes technical work like threat detection and incident response.
SIEM works first by gathering data from relevant systems, using collection agents embedded in end-user applications or devices, network elements and other software such as intrusion detection systems, anti-virus solutions and firewalls. Collected log and event data is sorted into categories, filtered by relevance, aggregated and forwarded to the central repository, usually a management console overseen by analysts and technicians.
Some data is transformed into alerts, when events together create a particular cause for concern—for example, a single end-user account making dozens of login attempts in the span of an hour. Other data is fed into more general reporting, such as live plots of network activity, for the analysts to review.
Used in a SOC, SIEM creates all of the basic reporting and analytics around any security events and log data. Without SIEM, raw security data could not be transformed into the actionable dashboards or alerts that security teams need to do their jobs.
Benefiting from SIEM capabilities
SIEM is a holistic management method, involving many moving parts and many specific capabilities. Knowing the most important features of an SIEM system or tool can help your organization take better advantage of resources — personnel, money and time — and make fewer mistakes that could lead to security breaches or data leaks.
The standard and most beneficial features of an optimal SIEM include:
Log collection, perhaps the key capability of an SIEM solution, allowing for the automatic collection and management of voluminous machine-generated data
Integration with other security solutions, allowing the SIEM solution to communicate with other parts of an enterprise security ecosystem, sending data where it needs to go and triggering downstream events where appropriate
Built-in reporting, providing automated review of system performance, standardized reports for common security issues, as well as customizable dashboards for specific business needs
Alert and notification features, allowing analysts to get and prioritize the information they need about important events with the lowest latency
Monitoring, incident and anomaly detection, taking more time-consuming work away from busy analysts by automatically flagging worrisome behavior
Forensic capabilities and response workflows, making it easier to dig down into specific incidents, and creating standardized procedures for responding to issues
These various capabilities translate directly into specific benefits for many companies, for example:
Better perspective on the whole organization: With a centralized repository for security information, employees can better evaluate performance and threats over a whole network or series of systems
Stricter compliance: The automated logging and reporting built into SIEM makes it far easier to meet stringent data governance, regulatory, and security requirements, with no need for manual collection
Faster time to resolution: Because events are moved through the pipeline and prioritized intelligently, analysts get information faster, and can respond to the right problems in real-time
Easier scaling: Because the primary data sources are log data and network events, SIEM solutions are optimized to work with the largest amounts of information, making them easy to continue scaling up and supporting organizational or user growth
More sophisticated analysis: The alerts, aggregation, reporting and forensic tools provided by SIEM all help with performing detailed analyses of complex threats that may have been too opaque to understand in the past
How to choose the right SIEM tool
Now that you know the features of a typical SIEM tool, and how these can benefit your organization, it’s time to review the actual tools available, and select the right one for your specific industry, use case and team.
If adherence to government or industry requirements is a top priority, select a tool with specific compliance management matching your business needs. If the lowest latency and fastest response times are needed, then overview the most performant tools with speedy data processing and alerting features. Meanwhile, sophisticated threat detection and forensic analysis use cases require SIEM software with improved automation, machine learning and AI built in.
With this in mind, it’s easier to review some of the many tools and pieces of software available for SIEM. These vary by price, complexity, available features and many other factors, so the most important consideration should be how well the tool fits your business requirements and employee needs.
Google Chronicle is a cloud-native security analytics platform built on core Google infrastructure, providing infinitely elastic storage of security telemetry data. With a predictable fixed price model based on the number of employees, organizations can store and analyze all security data, increasing fidelity. Chronicle simplifies the complex effort of managing and analyzing the massive volumes of security telemetry generated by modern enterprises. The automated analysis engine correlates intelligence from internal and third-party public sources to quickly and automatically extract signals and detect threats.
Curated detections are built by our Google Cloud Threat Intelligence (GCTI) team, and are actively maintained to reduce manual toil in your team. The detections provide security teams with high quality, actionable, out-of-the-box threat detection content curated, built and maintained by Google Cloud Threat Intelligence (GCTI) researchers.
Another option is to augment your legacy and volume-based SIEM with Chronicle. Occasionally organizations are experiencing blind spots and other challenges, including cost, due to their legacy SIEMs, but are not ready to rip and replace it. Chronicle can help augment your existing security operations stack to drive additional efficiencies and visibility, all at a disruptive price point.
Complementing SIEM in the SOC
SIEM systems and tools have been around for decades, and have played an important role in safeguarding data and for enterprise security overall. This is clear from the sheer number of tools available, and the depth and variety of their features.
But this initial solution only solves the problem of triage, and organizations are finding that they need more diverse and sophisticated systems to support security analysts and respond to threats more proactively. This is where security orchestration, automation and response (SOAR) comes in.
SOAR comprises a collection of solutions complementary to SIEM, which can handle threats and risks that the latter is incapable of dealing with. Even next-generation SIEM tools remain essentially a system of record: bringing relevant data to a central repository and making it available to analysts. But SOAR provides more actionable functionality thanks to more advanced machine learning and AI, and built-in playbook management, and perhaps most importantly, integration across other IT and security tools.
Combining a modern SIEM solution with the capabilities of SOAR can lead to even more efficiency, standardized policies across teams, and verticals, and faster time to detection and time to resolution of threats and attacks.