In this post we wanted to bring together some of our favourite security and IT contributors to help us define what is SIEM? How do tools and software for SIEM help? & just how popular is the use of SIEM practises in 2020?
SIEM stands for Security Information and Event Management, our first expert Sam Maley, IT Operations Manager at Bailey & Associates IT Consultancy expands on this below & in his subsequent answers for what is SIEM used for, why is it useful for business and what is the best open source tool for SIEM;
“Security Information and Event Management - is a tool/service that combines the functionality of Security Event Management (SEM) and Security Information Management.”
“While SEM provides real-time monitoring capabilities, event correlations and notifications for security issues, and SIM provides long-term storage and analysis, SIEM integrates both.”
“It does this with a central management system that gathers log data, often from thousands of sources within a network, and filters relevant data in order to enable effective responses.”
What Is SIEM Used For?
“SIEM involves correlating entries or events across multiple systems in order to establish relationships that may indicate malicious behaviour, such as multiple firewall denials from a single IP Address in quick succession.”
“This is the SEM component. In the SIM component, log data is then aggregated and stored, and can be analysed to improve the system's SEM capabilities (such as through adding and refining rules), as well as for forensic investigations and auditing.”
Why Is SIEM Useful For Businesses?
“Business networks often have vast, complex networks that can be difficult to effectively secure against a range of risks and breach strategies.”
“By integrating SEM and SIM capabilities, it is easier for security teams to keep track of potential threats - using rules that have been generated with historical data and pattern recognition - and respond quickly.”
“Furthermore, when breaches do occur, the same data is available for forensic analysis, enabling weaknesses to be eliminated.”
In addition to this, Thierry Tremblay, CEO at Kohezion, specified that by using a SIEM solution his business was able to;
“reduce their security workload by 30-40% thanks to the use of immediate threat notifications and automated responses.”
“A proactive approach to security threats reduces the time and effort required for investigating and eliminating security threats after the event. SIEM’s metrics speed up maturity and allow us to analyze its findings to understand what we may be missing.”
What Should Businesses Expect From A SIEM Tool?
“The principle capabilities all SIEM tools should provide is the ability to detect threats and respond timeously, and to comprehensively aggregate data for storage, enabling continuous improvements over time and facilitating investigations where necessary.”
“Dashboards are another great feature to look out for. These can be used to transform data into informational charts, which enable people to recognise non-standard patterns that might otherwise have been missed.”
How Is Logging Involved with SIEM?
When asked to contribute his insights about the importance of logging for cybersecurity and SIEM, Matthew Estabrook, Chief Strategist at Know IT responded with the following helpful insights;
“If you don't know what your environment is doing, how can you prevent security incidents before they happen? When something does happen, how would you know if you don't have the logs to validate?”
“SIEM allows for log capture and analysis from numerous input sources.”
“This allows for event auditing, correlation and threat hunting on a whole new level. Most major players in this market are too expensive for small businesses that still may need to take the necessary steps to ensure security and compliance”
What Is The Best Open Source Tool For SIEM?
“Because SIEM is incredibly complex and resource heavy, the open-source versions tend to be cumbersome to implement and maintain.”
“While their enterprise counterparts have had huge amounts of resources invested to optimise them and create simpler user interfaces, the open-source variants take a long time to set up and maintain, and obviously don't include customer service to assist with the process.”
This is why some users may wish to use a hosted ELK or managed service provider such as Logit.io which brings together all of the open source capabilities of Elasticsearch, Logstash & Kibana for their SIEM features, without the overheads of maintenance and dedicated ELK engineers required to maintain an inhouse SIEM solution.
The latest report from AT&T's SIEM survey confirmed that 75% of cybersecurity professionals see SIEM as being highly important to their organisation's security.
When asked about the main features and benefits of SIEM respondents confirmed that faster detection, threat intelligence & improved visibility were delivered by their chosen SIEM platform.
Participants also considered SIEM to be the most effective method for detecting unauthorised access, insider attacks and advanced persistent threats. The top five countries most interested in topics around SIEM for security in decreasing priority are; United States, Canada, The UK, Australia & Germany.
In Google Trends the worldwide popularity for security SIEM has recently reached an all time high in popularity (as of October 2020). The most popular use case of SIEM (68%) was to monitor and correlate events across distributed systems, services & applications. This feature can also be undertaken by using a centralised log management system, such as the platform provided by Logit.io
A Final Note
If you're looking for a powerful cloud based SIEM tool then look no further than Logit.io.
Our platform provides you with everything you need to investigate your logs from servers, services and infrastructure, and includes security alerting and notifications to allow you to detect threats at a fraction of the cost of other comparable SIEM software.
Our SIEM dashboard is built upon Kibana, one of the leading data visualisation tools used for maintaining enterprise level security, reporting & log management. Our hosted Kibana forms part of our ELK as a service solution which provides an affordable alternative to hosting Kibana, Logstash & Elasticsearch in house and can be launched within minutes of signing up.