SIEM: what it is and what it means for an organisation
SIEM is a solution in which Security Information Management and Security Event Management converge. In more detail:
The SIM is an information management system that automates the process of collecting and orchestrating logs (but not in real time). Data are collected and sent to a centralised server through the use of agent software installed on the various devices of the monitored system. The possibility of long-term storage combined with data analysis allows the generation of customised reports.
The SEM is a software solution that, in real time, monitors and manages events occurring within the network and on the various security systems, providing correlation and aggregation between them. The interface is a centralised console, responsible for monitoring, reporting and responding automatically to certain events.
By linking the SEM to the SIM, the SIEM analyses the collected logs to highlight events or behaviours of interest, allowing, for example, the detection of administrative access outside normal working hours, then information on the host, Id and more. The contextual information gathered makes for more detailed reports and allows for optimised incident resolution workflows.
How a Security Information and Event Management solution works
SIEM systems technology aims to centralise the collection of logs and events generated by networked applications and systems, enabling security analysts to reduce the time required to resolve and investigate security alerts and incidents.
The main activities of a SIEM are to collect, analyse, correlate and monitor a large number of diverse data from:
Security tools: Intrusion Detection Systems, Intrusion Prevention Systems, anti-virus and anti-malware systems, VPN concentrators, Web filters, honeypots, firewalls, adservers
Network devices: routers, switches, DNS servers, wireless access points, WAN, Data transfer, Private Cloud Network
Appliances: user devices, authentication servers, databases, cloud-hosted servers
Applications: intranet applications, web applications, Saas applications
The key principle of SIEM is advanced monitoring, based on the ability to aggregate meaningful data from multiple sources, establishing real-time analysis and correlations aimed at detecting anomalous behaviour, critical signals and generating alerts, meeting the needs of incident response, compliance and forensic analysis. The very nature of the technology entails continuous adaptation according to the ongoing security assessments carried out by CSOs, together with all relevant regulatory adjustments.
The working principle? At a basic level, a SIEM solution is based on a set of rules (defined by the vendor and/or security managers) and the use of a statistical correlation engine that establishes the relationships between the various entries in the event log.
There are SIEM solutions available online such as Elastic. Implementing a SIEM solution can be a complex process, but it is extremely important for your security: if you are not able to do this yourself, contact your IT consultant or contact our support.