What is SIEM? Improving security posture through event log data – Source: www.csoonline.com

Introduction to SIEM

Security information and event management software (SIEM) products have been an enduring part of enterprise software ever since the category was created back in 2005 by a couple of Gartner analysts. It is an umbrella term that defines a way to manage the deluge of event log data to help monitor an enterprise’s security posture and be an early warning of compromised or misbehaving applications.

SIEM grew out of a culture of log management tools that have been around for decades, reworked to focus on security situations. Modern SIEM products combine both on-premises and cloud log and access data along with using various API queries to help investigate security events and drive automated mitigation and incident response. “Cloud and on-premises are complementary directions here, because the cloud provides for effective scaling as data needs increase, and having an on-premises offering is useful, particular for those enterprises who want to save money by managing the operational aspects of their deployments,” Allie Mellen, an analyst with Forrester, tells CSO.

The focus of SIEM products is to distill this vast quantity of telemetry to provide actionable and hopefully timely security insights. As the number of alerts increases, these products need to weed out the more important events for SOC analysts to focus on. This means careful and meaningful use of automation, orchestration, and various security response techniques. This latter point is why you now find SIEM features being integrated into other security tools. “Given more interdependencies, IT buyers must be aware of how deploying a SIEM solution will impact their existing ecosystem of security products, the costs involved, and the analysts’ experience,” writes Gigaom’s Andrew Green in a 2024 report.

Over the years since SIEM was first recognized as a product category, its purpose and features have expanded in scope. The key components can cover several of the following technologies:

• At its core, a SIEM is designed to parse and analyze various log files, including firewalls, servers, routers and so forth. This means that SIEMs can become the central “nerve center” of a security operations center, driving other monitoring functions to resolve the various daily alerts.
• Added to this data are various threat intelligence feeds that can be used to correlate the log entries and identify a potential compromised device. Gartner analysts state in their latest SIEM report from May 2024 that any tool should have “the ability for end-users to self-develop, modify and maintain threat detection use cases utilizing correlation-, analytic- and signature-based methods.”
• Many SIEM also add the ability to do risk scoring and produce a series of recommended actions to take based on these scores.
• Some provide various orchestration and response functions, as well as ways to automate SOC tasks. “We see that most SIEM vendors have incorporated SOAR capabilities and are building those out to be more robust,” Mellen tells. This is typical as more security tools add more automation features to make them easier to use and more productive. In some cases, this moves these products into the SOAR category. “Many of these standalone SOAR vendors in the market end up pivoting to new features and capabilities in other markets to build a more complete offering,” she says.

How SIEM works

A typical SIEM product follows three broad stages. First, it collects and aggregates data across a variety of network and applications’ infrastructure and security sources. Over the years, SIEM software has widened their focus to collect data from both on-premises and cloud-based systems. Their distinguishing feature is how much data they can ingest and categorize at any given time. “With more and more digital infrastructure and services becoming mission-critical to every enterprise, SIEM tools must handle ever-higher volumes of data,” writes Gigaom’s Green. As an example of their increasing complexity, Kubernetes logs can come in various forms, including general audit logs, controller process logs, API requests and responses, and scheduling events – all of which can contain critical security intelligence. This means potential buyers of a SIEM should understand the depth of coverage of a potential product.

Next, they analyze and report in near-real-time on what is happening across your enterprise on any threats or detected anomalies. This drives the third stage to guide any responses, mitigations and recommend any compliance activities. Green and other analysts point out that as regulations proliferate, SIEM becomes essential and indispensable and in some cases its use is mandated by the legal regulatory compliance processes.

Key benefits and components of SIEM

SIEM products have several key benefits, matching their major component technologies.

First, they enhance typical threat detection capabilities by having a broader view of what is going on across your enterprise. This could be supplied by combining their own threat intelligence and integrating with several public or private threat feeds. Since they collect these disparate event sources and combine with analyzing logs, they can provide a more comprehensive picture of the threat from initial compromise to eventual deployment. Typically, this is done with data dashboards and various visualization tools to be able to view and act on the various alerts.

Many SIEM products began to offer additional user and entity behavior analytics (UEBA) as part of their toolkit. This looks at patterns of operations by both users and endpoints to establish predictable baselines. For example, one baseline could be if a user periodically visits a particular website or downloads a certain file collection at a certain time of day. A change in these patterns could generate an alert for the SIEM to analyze and evaluate as a potential security threat.

In addition, SIEMs help to improve compliance and reporting functions, providing better audit trails and assessments of these events. Finally, they can centralize security management by integrating with a variety of existing security systems, such as SOAR, EDR, and other automation tools. Some of the SIEM vendors are moving towards combining the SIEM and SOAR functions into a single offering, such as with Microsoft’s Sentinel and Netwitness’ Orchestrator. One alternative is when two vendors combine forces, such as Recorded Future’s SOAR integrated into Google’s Security Operations SOAR. Other vendors such as Fortinet and Palo Alto Networks’ Cortex are keeping the two tool collections as separate products. “SOAR tools can start running independently of SIEM tools to strengthen an organization’s security posture and automate non-security processes as well,” says Gigaom’s Green in his October 2024 report linked above.

The trend towards better security integration is another big benefit of SIEM, because it can reduce tool sprawl. “With so many tools in play, maintaining comprehensive visibility across the network becomes challenging. This fragmented visibility can result in blind spots, where security incidents may go unnoticed or unaddressed,” wrote Kim Larsen, the CISO of Keepit.

Challenges and limitations of SIEM

One of the biggest challenges of implementing a SIEM is connecting it up to your existing security tool collection. “Many of the clients we talk to want a tool that is built into the workflows they use,” Mellen says. This seems common sense, but still isn’t universal because for a SIEM to be useful means it should integrate into many different places. The challenge is also for the vendors to offer as many integrations as possible to suit particular circumstances.

Several analysts cited another obstacle, in having to find skilled personnel that can operate a SIEM product and use its many features.

Another challenge is that there is a huge cost factor in data collection, because the best SIEM should be able to examine historical data patterns to draw their conclusions. Mellen mentions this in her blog about data pipeline management, where she says costs are directly the result of better and more indexing of this data. Plus, she tells CSO that “pipeline management is a natural fit into the SIEM, as it is the key to collecting, formatting, and routing of security data. Expect to see more of these integrations into future SIEM offerings.”

Finally, finding accurate pricing is always a challenge. One bright spot is Logpoint’s transparent pricing page, where it will calculate the cost based on the quantity and features selected. Most vendors are more circumspect, or opaque until you move further down the sales process before they quote a price.

Future of SIEM

Even though SIEM products have been around for close to two decades, the category continues to embrace and extend its original purpose, thanks to adding UEBA support and other behavioral analytic methods, along with being able to tailor risks to improve correlation use cases and analysis. Most tools have beefed up their out-of-the-box correlation and alert rules, making them both more productive and easier to onboard and deploy. And as the world evolved to embrace more remote and mobile user access, SIEM products have improved their support of these situations to provide better reporting and more in-depth intelligence geared towards these circumstances.

SIEM tools have also kept pace with the move towards machine learning and artificial intelligence. Many have added models such as OpenAI’s GPT4 so that they can work with typed natural language commands or be used to generate queries to help search for threat modalities. But this raises concerns for their accuracy and how the models are trained on private data or whether they will store privileged information in public clouds. The latest SIEMs also must keep pace with the latest complex multi-mode threats, just like other modern defensive tools.

“When evaluating solutions, it’s important to decide whether you need just a SIEM or a unified tool for automating your security operations center,” writes Howard Holton, the COO of Gigaom. He suggests that analysts need to be able to differentiate SIEM from products that can be used to automate the daily SOC operations, and potential buyers should look at ways SIEM optimizes and integrates various data feeds and how it integrates with existing security tooling.

Who are the leading SIEM vendors?

There is more than two dozen different SIEM vendors. Gartner’s latest report lists Exabeam LogRhythm, IBM QRadar, Splunk, Microsoft Sentinel and Securonix Unified Defense as leaders. Our buyers’ guide includes several other vendors including Datadog Cloud, Fortinet FortiSIEM, Logpoint and OpenText ArcSight Enterprise Security Manager among others.

Here are some questions to help evaluate and compare SIEM solutions:

• Does the product offer more protection and automation features than using either an XDR or SOAR tool?
• How wide and agnostic is support and integration for multiple third-party security vendors? How is this data enriched and combined within the SIEM?
• How is your SIEM’s workflow automation and orchestration enabled to make SOC analysts more productive?
• What LLMs and AI tools are used to enhance its features?
• Can the SIEM run in all three modes: public and private cloud and on-premises?