The term SIEM was first used in 2005 by Mark Nicolett and Amrit Williams. SIEM as a concept was proposed by them by combining the concept of security information management (SIM) and security event management (SEM).

How SIEM works

A typical SIEM collects and aggregates security data from various networking  devices, servers, computers and domain controllers present within the ecosystem. The collected data is stored, aggregated and normalized on which the analytics are applied to detect threats, raise alerts and enable organizations to take suitable steps based on the alert raised. Thus, SIEM plays a vital role and is an important part of the data security ecosystem since it detects abnormal behavior and traffic flowing in and out of the network. On the flip side, SIEM tools can be resource-consuming, expensive to implement and it is often difficult to remediate problems reported by SIEM.

SIEM use

Following are the main capabilities found in an SIEM:

Threat detection Investigation Time to respond

Apart from the above features, other additional features which an SIEM provides are:

Basic security monitoring Advanced threat detection Log collection Forensics and incident response Incident detection Notifications and alerts Threat response workflow

Top SIEM vendors 

Following are the top SIEM available in the market widely used at the corporate level:

Splunk IBM Qradar LogRhythm SolarWinds Security Event Manager Alienvault ArcSight Datadog McAfee ESM Securonix RSA Netwitness

9 SIEM best practices 

Following are the best practices for SIEM implementation: 

Requirement: define monitoring and reporting requirements before deployment. Implementation: determine and define the system’s scopes, infrastructure audit targets and verbosity. Access control: monitor and log access to critical resources and check whether it’s legitimate or not. Perimeter defenses: monitor, log and respond to threats, violations and activity and attacks on perimeter defenses. Resource integrity: monitor, log and respond to threats, backup processes, violations and vulnerabilities and attacks on network system resources integrity and availability. Intrusion detection: monitor, log and respond to incidents related to intrusion detection and system threats. Malware defense: monitor, log and respond to threats, violations and activities on malware controls. Application defenses: monitor, log and respond to threats, violations and activity about the web, database and more. Acceptable use: monitor and report on the key status and issues violations activity regarding the acceptable use of resources and information.

Next-generation SIEM 

Next-generation SIEMs engulf automated incident response technology and are much more advanced and more refined than the formal ones. Next-generation SIEMs integrate with IT and other security tools/hardware and provide full security orchestration and automation (SOAR) capabilities. Examples include:

Authentication and access management: automatically disable user accounts and reset passwords on active directory Cloud infrastructure: disable accounts and stop or destroy instances on AWS/Microsoft Azure Email security: delete or quarantine emails, sending email on SMTP email servers and Microsoft Exchange Endpoint security: isolate devices from the network and delete and list files or active processes on Linux/Windows/Mac Firewalls: block or unblock IPs and domains on firewalls Forensics: automatically running virus scans, scanning files and quarantine suspected malware in sandboxes. Information technology service management (ITSM): create tickets, change ticket status, add comments to tickets, reassign tickets and close incidents on the ITSM system

Following are the top trends impacting the SIEM market:  

The sophistication of cyberattacks and their exponential rise Strict security compliances and regulations imposed by governments Cloud-based services adoption among SMEs

Sources

SIEM architecture: technology, process and data, Exabeam What is SIEM? A beginner’s guide, Varonis  Security information and event management market, Market and Markets