Security Information and Event Management (SIEM)

What every organization needs is timely and accurate security events notifying the right people as soon as possible, but with millions of events coming in every day, that can be challenging. A Security Information and Event Management (SIEM) collects relevant data about the enterprise’s security generated from multiple sources and is able to analyse all the data to produce intelligent and actionable output.

The basic function of any SIEM is to centralize all the security notifications from various security technologies, firewalls, IDS and IPS, antivirus console, wireless access points and active directory servers (ADs), etc. These all generate security alerts every day. With a SIEM one can collect all of these in one place, with one set of reports and one centralized system for generating notifications. This is usually referred to as a log aggregation solution. 

Second main function of a SIEM is to provide logging and reporting for compliance purposes for almost every compliance regulation. There are requirements to log user access, track system changes and monitor adherence to corporate policies. A good system makes these tasks much easier by collecting this data from all the systems and at the time of an audit, one can simply generate the appropriate compliance reports and send them to the appropriate people 

The third and probably most important function of a SIEM is automated cross correlation and analysis of all the raw event logs from across the entire network. This is where SIEM looks for hidden cyber security issues that would otherwise go unnoticed by combining data from several different sources. In order to perform this correlation and analysis, getting the security logs to the SIEM is certainly important but security logs by themselves just aren't enough. Let's say the SIEM receives an alert from the IDS stating that it has detected a SQL injection attack against one of the servers. These are types of alerts that one may get woken up in the middle of the night, that is assuming that the network has SQL server, otherwise you're just getting woken up for nothing. 

Many SIEM offerings don't take into account what type of servers are running, which leads to a lot of false positives. The false positives make the SIEM effectively useless. Complete SIEM solution understands the type of the servers, type of the applications it's running and what configuration it has. This intelligent context helps prevent false positives. A true SIEM solution also gathers the full configuration of running applications and other information from every device to add critical context to the events and notifications. This allows the SIEM to notice changes to critical devices such as routers and firewalls generating notifications when unauthorized changes occur.

SIEM is not just a log aggregation tool. It is very easy to just collect and store log files, however this doesn't give any visibility into the security posture or help mitigate any threats. Many so-called SIEM providers out there are just glorified log aggregators. One may think that their IDS/IPS system does the same thing. An IDS is a single data feed that by itself contains false positives and erroneous information. A SIEM takes that information cross correlates it with other systems data, other threat feeds and configuration information to determine if it really is a threat. Machine learning systems can be valuable but they do not replace the need for a SIEM. They are still a single device with a single view of the system and network. The value of a SIEM is in the cross-correlation of data from all devices including machine learning devices

There are many important reasons to have a SIEM.

• To eliminate blind spots, one need to gather all the security and event information into a single location
• Detect suspicious behavior without getting bogged down in the mire of false positive 
• Accurate analysis and correlation allows to detect problems before they become a breach 
• Holistic visibility through SIEM allows to monitor and enforce corporate policies 
• Regulatory requirements including PCI, HIPAA and FFIEC effectively require one to have a SIEM, so a SIEM is a needed tool for both best practices as well as regulatory compliance.
• It also acts as a useful detective control to identify a presence of an Advanced Persistent attack (APT) in corporate network.

To ensure that only pertinent information is passed to the centralized server, processing can be applied on the collection agents. That way the volume of information being communicated and stored can be reduced. Though these SIEM systems are quite expensive to deploy, the cost factor associated in deploying them is one-time only.

What are false positives?

False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don't have a vulnerability when in fact you do.

A false positive is like a false alarm; your house alarm goes off but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when in reality there is not.

Here are some of the SIEM tools in the market for protecting your network:

• SolarWinds Security Event Manager

One of the most competitive SIEM tools in the market with a wide range of log management features. The real-time incident response makes it easy to actively manage your infrastructure and the detailed and intuitive dashboard makes this one of the easiest to use. 

• ManageEngine EventLog Analyzer

A SIEM tool that manages, protects, and mines log files. This system can be installed on Windows, Windows Server, and Linux.

• Splunk Enterprise Security 

This tool for Windows and Linux is a world leader because it combines network analysis with log management together with an excellent analysis tool.

• OSSEC 

The Open-source HIDS Security system that is free to use and acts as a Security Information Management service.

• LogRhythm Security Intelligence Platform 

Cutting-edge AI-based technology underpins this traffic and log analysis tool for Windows and Linux.

• AlienVault Unified Security Management (USM)

Great value SIEM that runs on Mac OS as well as Windows.

• RSA NetWitness 

Extremely comprehensive and tailored towards large organizations but a bit too much for small and medium-sized enterprises. Runs on Windows.

• IBM QRadar 

Market-leading SIEM tool that runs on Windows environments.

• HP ArcSight ESM Software

ArcSight is an enterprise security management system for event correlation, compliance monitoring and compliance reporting.

• McAfee Enterprise Security Manager 

Popular SIEM tool that runs through your Active Directory records to confirm system security. Runs on Mac OS as well as Windows.