Security information and event management (SIEM) software gives enterprise security professionals both insight into and a track record of the activities within their IT environment.
SIEM technology has been in existence for more than a decade, initially evolving from the log management discipline. It combined security event management (SEM) – which analyzes log and event data in real time to provide threat monitoring, event correlation and incident response – with security information management (SIM) which collects, analyzes and reports.
How SIEM works…
SIEM software collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters.
The software then identifies and categorizes incidents and events, as well as analyzes them. The software delivers on two main objectives, which are to:
- provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities and
- send alerts if analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue.
Analytics and intelligence
One of the main drivers behind the use of SIEM software for security operations rests with the newer capabilities contained within many of the products on the market.
A lot of SEIM technologies bring in threat intelligence feeds in addition to traditional log data, and there are multiple SIEM products that have security analytics capabilities that look at network behaviour as well as user behaviour to give more intelligence around whether an activity indicates malicious activity.
Indeed, technology research firm Gartner in its May 2017 report on the worldwide SIEM market calls out the intelligence in SIEM tools, saying “innovation in the SIEM market is moving at an exciting pace to create a better threat detection tool.”
The Gartner report further notes that vendors are introducing machine learning, advanced statistical analysis and other analytic methods to their products, while some also are experimenting with artificial intelligence and deep learning capabilities.
According to Gartner, vendors market such advances as capabilities that can provide more accurate detection rates at a faster pace. However, Gartner points out that enterprises aren’t yet clear on whether, or by how much, these capabilities yield new returns to the organization.
With AI and machine learning we can do inference and pattern-based monitoring and alerting, but the real opportunity is the predictive restoration. This is the transition in the market now. “It’s going from a monitoring tool to [the software providing] remediation suggestions,” Stroud says, adding that he expects SIEM software to even be able to automate remediation in the future.
SIEM tools and vendor selection
The SIEM market has several dominant vendors based on worldwide sales, specifically, in the Arrow ECS Belux catalogue, IBM, RSA and Splunk.
Companies need to evaluate products based on their own objectives to determine which would best meet their needs. Organizations that want this technology primarily for compliance will value certain capabilities, such as reporting, more highly than organizations that want to leverage SIEM to set up a security operations center.
Organizations that have petabytes of data will find some vendors better able to meet their needs, while those who have less data might opt for other options. Similarly, companies that want outstanding threat hunting will likely look for top data visualization tools and search capabilities that others may not need to have.
Security leaders need to take into account numerous other factors – such as whether they can support a particular tool, how much data they’ll have within the system, and how much they want to spend – when evaluating SIEM vendors.
Maximizing SIEM’s value
Still, most companies continue to use SIEM software primarily for tracking and investigating what’s happened. This use case is driven by the escalating threat of breaches and the increasingly severe fallout that leaders and organizations will face in such events.
At the same time, though, many companies now are moving beyond that and are increasingly using the technology for detection and near real-time response
The game now is: How fast can you detect? Adding that the evolving machine learning capabilities are helping SIEM systems to more accurately identify unusual and potentially malicious activity.
Find out how the Arrow team can help you in the SIEM game.
Complete the form below and we’ll get back to you…