Security Information And Event Management

Security Information And Event Management SIEM

Introduced in 2005, SIEM Analyzes security alerts in real-time. Fundamentally, SIEMs do three things

One

Collect, normalize, and store log events and alerts from the organization's network and security devices, server, databases, applications, and endpoints in a secure, central location. SIEM collects information not only from physical devices, but also virtual devices, both on-premises and in the cloud. Investigators had determined that logging in to every system to check for relevant log events was increasingly impossible. Also, if your logs were not secure, you had no guarantee that an attacker hadn't just deleted the entries to hide their activities.

Two

Run advanced analytics on the data, both in real time and across historical data, to identify potential security incidents that should be investigated by a human. The potential incident were prioritized by risk, severity, and impact. Over time, these security analytics have grown from employing simple cross correlation rules to monitoring for users behavioral anomalies, watching for known indicators of compromise IoC, and applying sophisticated machine learning models.

Three

Prove that all the security controls under the purview of the SIEM are in place and effective. While maintaining security for its own sake should drive security requirements and appropriate level of investment, in reality, for many organizations, the primary driver for purchasing SIEM has been regulatory compliance. The first two decades of the twenty-first century has seen a deluge of new compliance requirements, both legislative and industry sponsored. Some examples are:

• The payment card industry PCI standard

• The Sarbanes-Oxley act of 2002

• The health insurance portability and accountability act of HIPAA

• The general data protection regulation GDPR in 2018

Businesses, hospitals, and other organizations ignore compliance at their peril, and violators can incur punitive fines.

SIEM Development

As cyberattacks became more sophisticated and stealthy, demands for information about a cyberattack its characteristics, purpose, and the extent of network penetration grew more urgent. Another alarming fact was that security teams often did not discover breaches until many months after they had occurred, and then it was more often discovered by a third party rather than by internal security. IT security needed a holistic picture of network activity, and the real time data collected by SIEM filled this need. In the second stage of development, SIEM vendors added threat detection capabilities with built-in threat intelligence, Historical and real time analytics, and User and Entity Behavior Analytics UEBA. And more recently, Machine learning has become a part of SIEM's tool set, and is particularly needed when sifting through big data.

SIEM Difficulty To Set up

Another issue that hindered SIEM greater acceptance by organizations was the effort involved to set up, integrate, and use it. The technology was complex and difficult to tune, it was difficult to identify attacks, and it demanded a high level of skill on the part of the user to know what they were looking for. For all its capabilities, SIEM was not "set it and forget it" technology, two other facts exacerbated this situation. One, IT security suffers from an insufficient number of qualified professionals. Two, the Siloed approach used in typical network operations centers NOCs and security operations centers SOCs. Increases complexity and causes a lack of network, a lack of network visibility. An environment composed of multivendor, single point solutions with different operating systems, patch cycles, protocols, and logic, worked counter to interoperability and simplification. The result was greater demand on sparse IT resources, increased chance of human error, and reduced network security visibility. So while SIEM made great strides moving from an information platform to a threat intelligence center, it remained hamstrung by both external and internal limitations.

SIEM Modern AI Development

The systemic shortage of trained personnel was the impetus for more automation and machine learning in later SIEM devices. Artificial intelligence more quickly detects trends and patterns in enormous payloads of data than even the cleverest human can. Moreover, time and accuracy are gained by configuring SIEM to automatically respond and remediate. Recent developments in SIEM have also integrated NOC and SOC, thereby establishing SIEM as the nerve center of all networks and security operations. So, from a single pane of glass, IT security gains visibility into the entire network. SIEM simplifies deployment and integration by way of a self learning, real time, asset discovery, and device configuration engine. This tool establishes an inventory of network devices, applications, users, and business services. It then builds a topology showing how each object is interconnected, thereby establishing a baseline of normal network behavior. By determining normalcy, and with the aid of machine learning, abnormal behavior can alert analysts of a cyberattack, which can then be stopped before a breach occurs. Within a couple of decades, SIEM has evolved from an information platform, to a threat intelligence, to a fully integrated and automated center for security and network operations.