What Is Security Information and Event Management (SIEM)?

Written By Laura Martisiute

Security information and event management, or SIEM (pronounced “sim”) for short, is a security monitoring and auditing technology. SIEM solutions allow organisations to collect real-time and historical event logs from their entire technology infrastructure in a centralised management console. This includes data from network devices, security appliances, applications, user devices, and application servers.

As well as logging network traffic, SIEM systems can also be configured to issue notifications whenever suspicious behaviour occurs. Since most modern SIEMs are built with SOAR capabilities, they can automatically validate alerts using machine learning techniques and correlation rules. 

Used in this way, SIEM technology can speed up threat detection and support security incident management. Because SIEM tools keep a record of all activity, they can also aid forensic analysis and improve compliance.

However, while SIEMs are often seen as a core technology within a security operations centre (SOC) and are particularly popular for enterprise security, they are also resource-intensive, expensive, and noisy. For organisations that want to improve their threat hunting and detection capabilities without straining their teams and budgets, it's important to consider a complete detection and response platform like SenseOn instead. 

The History of SIEM

“SIEM” technology developed from the coming together of two pre-existing solution categories: security event management (SEM) and security information management (SIM). SEM is a tool that monitors and correlates events in real-time. SIM is a tool that gathers data from the corporate infrastructure for long-term storage, analysis, and reporting. 

Security teams have been building custom tools with SIEM-like capabilities since the 1990s. However, the term “SIEM” was only conceived in 2005 by Amrit Williams and Mark Nicolett in the Gartner report “Improve IT Security With Vulnerability Management.” This was also when the first generation of commercially available SIEMs began to enter the market. 

How Does a SIEM Work

SIEM systems systematically find, process and analyse information from connected networks. Here is an overview of how this happens in a typical modern SIEM system.

Initial data aggregation and normalisation. 

A SIEM gathers event and event log data from multiple sources across a connected network (for example, an organisation’s servers, applications, and security devices such as firewalls and antivirus) and translates it into a single log format. 


Stores and retains data 

Part or all of the collected event data (depending on the SIEM system used) is stored and retained for correlation, forensic analysis, and compliance purposes. 

Correlates and analyses data

Through further data aggregation, a SIEM consolidates events into categories, for example, failed logins or exploit attempts. Categorised events are then analysed against pre-configured rules for the signatures “normal” network, or user behaviours would exhibit. 

Identifies security issues and takes action

When abnormal activity is noted, a SIEM will issue an alert. Depending on how a security team or SIEM vendor has configured their rules, these alerts may be set as high or low priority. For instance, three failed login attempts over the course of five minutes (likely a user who has forgotten their password) may set off a low priority alert. On the other hand, 100 login attempts in 5 minutes is more than likely a brute force attack in progress and would trigger a high priority alert. Security analysts can then investigate the alert further. 

The Role of a SIEM In a SOC

Millions, and sometimes billions, of daily events logged by a SIEM system are directed to a SOC daily.

SIEM solutions support SOC analysts by giving them the functionality to observe and analyse consolidated insights from an array of sources through centralised dashboards. Doing so manually would be almost impossible.

The purpose of a SIEM is to help SOCs improve incident response capabilities by identifying and addressing suspicious activity quickly. Suspect event data flagged by a SIEM may include:

  • A team member escalating their privileges to access confidential data.

  • Employees trying to visit blocked websites that may contain malware.

  • A user opening a torrent.

  • A device connecting to a potentially malicious website 100 times per hour.

  • The same IP address logging in from New York and then logging in five minutes later from London.

  • An increase in user account lockouts which could mean that a brute force attack is in progress

  • A system event log change potentially indicating an intruder within a system trying to hide their tracks.

SIEM Use Cases and Benefits

As a centralised method of log management and analysis, SIEM technology allows organisations to streamline their security workflows. Here are the main benefits of SIEM tools:

Faster threat detection and response

A SIEM solution gives IT teams better visibility into their entire IT suite. With SIEM, security teams can gather and correlate events from multiple data sources into one platform and receive real-time updates. This can improve an organisation's mean time to detect (MTTD) and mean time to respond (MTTR) and reduce the damage from cyber threats.

Forensic investigation

SIEMs store historical log data. This capability allows security staff to figure out how and when a security incident occurred and what data and systems were compromised as well as what security protocols were breached and by whom.

Simplified compliance reporting

SIEMs can display security data in human-readable, audit-ready formats required by particular compliance standards like:

  • Health Insurance and Portability and Accountability Act (HIPAA)

  • General Data Protection Regulation (GDPR)

  • Sarbanes-Oxley Act (SOX)

  • Health Information Technology for Economic and Clinical Health Act (HITECH)

  • Payment Card Industry Data Security Standard (PCI DSS).

This can make meeting compliance requirements easier while at the same time allowing organisations to cut down on compliance costs.

SIEM Limitations

Despite their popularity, SIEMs are not perfect security tools. Here are just some of the SIEM limitations organisations need to consider before buying a SIEM solution. 

Hidden data ingestion costs

SIEMs are only as good as the data they’re fed. Unfortunately, when planning for SIEM deployment and operation, many organisations underestimate the costs associated with ingesting and storing data. 
Although device-based pricing is growing in popularity, most SIEM vendors still charge companies based on data ingested. This metric is generally measured in terms of data indexed, events per second, or average data volume processed. 

Most SIEM vendors still charge based on data ingested and stored — costs that can skyrocket as a company grows.

As organisations grow, so does their data, which means that data ingestion and storage costs rise as well — something that can result in tradeoffs between visibility and cost. 

Lacks context

SIEMs are not smart systems. They correlate logs, but they don't necessarily tell analysts why they were correlated, let alone provide them with an “attack story.” 

SIEMs typically look at threats in isolation, generating alerts for each use case.

Without actionable intelligence, SIEMs leave it up to security analysts to figure out what actually happened to trigger a particular alert. Yet 55% of IT security and SOC decision-makers say they’re not certain in their abilities to prioritise and respond to alerts.

One solution is to add threat feeds into systems, but these can create even more noise for security teams.

Time-consuming to configure

One of the most frustrating aspects of SIEM systems is the time it takes to go from initial deployment to utilisation.

To be effective, SIEM technology requires extensive configuration and integration. This process means integrating a diverse range of systems and technologies both with a particular SIEM platform and with an organisation's operational environment. 

Therefore, anyone responsible for the configuration and integration of SIEM needs not only to be an expert in security but also to be familiar with the systems involved. To properly configure rules for normal and abnormal behaviour, it's vital to know what this behaviour looks like and set accurate real-world benchmarks. Even then, integration can be a time-consuming project. 

SIEM deployment typically takes more than 6 months but can take up to a year.

On average, it takes over six months to deploy and implement a SIEM solution. Some of the challenges that prevent faster SIEM deployment include:

  • Lack of staff expertise

  • Solution complexity

  • Insufficient budgets

  • Difficulty adding new data feeds/logs

  • Inability to integrate into existing systems

While it is possible to buy a pre-configured SIEM, they cost extra and tend to be even noisier. More importantly, pre-configured SIEMs are not tailored to an organisation’s unique needs.

Resource intensive

Even after the initial deployment period ends, SIEMs are not a “set-it-and-forget-it” type of tool. They are resource-intensive and need ongoing support from skilled security professionals. 

SIEM solutions require teams to continuously perform maintenance tasks such as deploying agents, parsing logs, and performing upgrades. 

Even during routine operations, SIEM solutions can grind to a halt and cause major maintenance headaches for security teams. For example, when a SIEM stops receiving log data correctly, someone needs to figure out why and fix the problem — regardless of whatever else is happening. 

SIEMs require experienced staff to manage and maintain them.

To remain effective, SIEM solutions must be constantly updated. Fundamental SIEM features like log/event collection and alerting processes need to be continuously fine-tuned in response to changing security threats and network environments. 

For this reason, most organisations with a SIEM in place need to have trained staff managing the solution 24x7x365 around the clock. Unfortunately, the global cybersecurity skills shortage means hiring the additional staff required to maximise a SIEM’s value is difficult. 

Inadequate threat coverage and detection 

SIEM solutions depend on pre-defined rules and patterns to alert security teams of threats, i.e., threat signatures. When threats display predictable behaviour, this detection method works fine. However, when a novel attack method emerges or attacks are human-operated, SIEM solutions are typically left in the dark.

A typical SIEM solution does not cover 84% of MITRE ATT&CK threats.

Unfortunately, even against known threats, SIEM solutions frequently fail:

  • Over one-quarter of SIEM rules are broken or not functioning correctly.

  • SIEMs are unprepared for 84% of attacks outlined in the MITRE ATT&CK framework, a knowledge base of adversary tactics and techniques. 

Noisy

Because SIEM technology relies on spotting boolean rule infractions among millions of event logs, real-world behaviour is meaningless to a SIEM solution. Behaviour either fits within a pre-defined set of bounds or doesn't. For security teams tasked with operating a SIEM system, this paradox creates endless false positive security alerts, most of which come from a handful of rules. 

95% of SIEM alerts are generated by 15% of rules.

Sifting through this mass of alerts and figuring out what is or is not a threat is immensely time-consuming. 

For security teams, who are already overstretched, lots of false positives can lead to delayed or missed responses to actual security incidents. To cope with too many alerts, some analysts have even admitted to down tuning particular alerting features or thresholds and/or ignoring certain categories of alerts altogether.

Even for organisations that outsource their SIEM systems, alert fatigue can still impact security. Managed security service providers (MSSPs) say that more than 1 in 2 alerts they see are false positives. Worryingly, 44% of analysts at MSSPs say they ignore alerts when the queue is full, which could have severe consequences for their clients. 

Are Next-Gen SIEMs the Answer?

Many SIEMs now incorporate Security Orchestration, Automation, and Response (SOAR). These are known as next-gen SIEMs and are supposed to solve the shortcomings of traditional SIEM tools. 

However, the reality is that while SOARs are an integral part of many next-gen SIEMs, they lack available APIs, suffer from data unification issues, and can have a workflow that is detached from the detection activity. Even with next-gen SIEMs, security professionals must still use playbooks, set custom alert levels, and decide on response measures.

Most importantly, next-gen SIEMs still rely on siloed security products, which require configuring and tuning and can result in false alerts.

A Better Alternative: SenseOn Security Automation 

SIEMs can be a useful security tool, but, as mentioned above, using them effectively can be a significant challenge. Especially for smaller to medium-sized organisations, the ever-increasing complexity and cost to maintain a SIEM may make this particular solution more hassle than it's worth.

Easier to use, better value, and designed to reduce management overhead, the SenseOn platform and Reflex, our security automation product, can monitor and protect an organisation's entire IT suite while reducing staff stress.

Unlike combining SOAR with SIEM, Senseon is a complete detection and response solution. This makes it far easier to install and operate as well as much more cost-effective for growing organisations.

64% of SOC analysts spend more than half of their time on manual tasks.

Processing a much deeper level of telemetry than a traditional SOAR system, SenseOn uses AI triangulation to compare suspicious events to both normal network behaviour and any other possibly malicious events it can find. When a genuine threat appears, this rich body of information is combined to create threat “Cases.”

Each case is broken down visually, displaying the relationship between impacted devices. Cases are also mapped to the MITRE ATT&CK framework, helping security professionals follow the best practices in case of an attack. 

SenseOn can also automatically take action when it comes across a security event, whether that’s escalating and prioritising an alert for analysts’ attention or containing a ransomware attack in progress. 

SIEM vs. SenseOn

Deployment

  • SIEM deployment is time-consuming and complex. 

  • SenseOn’s security architecture deploys through a single piece of software, extremely rapidly (usually within 15-30 minutes).

Tools

  • SIEMs can integrate with various different security tools like EDR, NDR, antivirus, and more. 

  • SenseOn consolidates the most valuable aspects of security tools such as EDR, NDR, IDS/IPS, UEBA, SIEM, and SOAR into a single cohesive platform, giving you unmatched visibility into your estate.

Cost

  • SIEMs software alone will set you back hundreds of thousands of pounds.

  • SenseOn costs a fraction of what a SIEM costs. SenseOn is also building new detection and response capabilities that are offered to customers for free.

Detection and event correlation. 

  • Most SIEMs rely on correlation rules as the primary method of detection. However, these rules need to be customised and updated frequently, with many SOCs lacking the staff required to carry out these changes reliably. Correlation rules are also unable to keep up with the number of new malware and unknown threats that emerge daily. 

  • SenseOn uses “Detections-in-Depth,” a  constantly updated blend of detection methods, including:

    • Rules and signatures

    • User and entity behavioural analysts,

    • Supervised and unsupervised machine learning

    • Detection and deception techniques to find threats.

Alerts

  • SIEMs will issue an alert anytime they encounter behaviour that deviates from what is deemed “normal.” 

  • SenseOn uses machine learning AI to investigate alerts as a human analyst would, only surfacing alerts that are genuine threats.

Alert prioritisation

  • SIEMs perform low-fidelity rules-based alert prioritisation.

  • SenseOn prioritises Cases based on their severity. Severity ratings may go up or down depending on the available information.

False positives

  • SIEM systems inundate security teams with hundreds, if not thousands, of false positives a week.

  • SenseOn only flags alerts that are genuine threats and has established feedback loops to learn and improve detections over time.

Remediation

  • Traditional SIEMs don’t have the capability to contain or remediate attacks on their own.

  • SenseOn’s automated remediation service can automatically stop critical attacks in progress. For example, in the event of a ransomware attack, SenseOn can isolate the infected device to prevent ransomware from spreading further across the network, thus mitigating the amount of damage the threat can cause. 

Laura Martisiute
Previous

What Your SOC's SIEM Needs To Do Next
Next

What Is Ransomware?