What is a SIEM?
SIEM, when expanded, becomes Security Information Event Management. As its name suggests, the primary function of a SIEM is Event management.
The SIEM solution, once implemented completely & effectively, will have complete visibility over an organization’s network.
This helps administrators and SIEM operators to monitor network activity in their infrastructure.
But interestingly, one can categorize various assets(network devices & services) so that the monitoring ability of the SIEM can be tweaked to a large extent.
The SIEM tool can generate alerts & incidents based on specific co-relation rules. For e.g.: If a Port Scan is initiated against a system, the SIEM generates a Port Scan Alert with all details like Source & Destination, port numbers, etc.
This helps the organization to find incidents or hacking attempts in near-Real Time.
How the SIEM works?
You may have noticed the word “Co-Relation” in the previous paragraph. Yes, the one-stop answer is a co-relation for the question of how the SIEM works. But not that alone, of course.
A SIEM tool collects logs from devices in the Organization’s infrastructure. Some solutions also collect NetFlow and even raw packets.
With the collected data(mainly logs and packets), the tool provides insight into the happenings of the network. It provides data on each event occurring in the network and thus acts as a complete centralized security monitoring system.
In addition to this, the SIEM tool can be configured to detect a specific incident. For example, a user tries to log in to an AD server. The authentication failed for the first 3 times, and for the 4th time, it succeeded.
Now, this is an incident to look upon. There are many possibilities.
Maybe a person is trying to guess the password of another user and get it right, which is a breach. Or maybe if the user forgot his password but got it right at the end. This is where co-relation comes in.
For such a case, a co-relation rule can be made so that, If an authentication failure event happens 3 times consecutively, followed by success in a specific period, an alert pops up.
This can be further investigated by analyzing the logs from respective machines. So my definition of co-relation is: “ It is the rule which aggregates events into an incident which is defined by a specific application or scenario.”
How do logs reach the SIEM?
Logs are fetched to the SIEM in two different ways. Agent-based & Non-Agent based. In the agent-based approach, a log-pushing agent is installed on the client machine from which the logs are collected.
Then this agent is configured to forward logs into the solution. In the latter type, the client system sends logs on its own using a service like Syslog or Windows Event Collector service.
There are also specific applications & devices which can be integrated through a series of vendor-specific procedures.
How exactly would the SIEM raise an alert?
Well, now you know that the logs from different devices are being forwarded into the SIEM. Take an example: A port scan is initiated against a specific machine. In such a case, the machine would generate a lot of unusual logs.
Analyzing the logs, it will be apparent that several connection failures are occurring at different ports at regular intervals.
Seeing packet information, if possible, we can detect the SYN requests being sent from the same IP to the same IP but to different ports in regular intervals. That concludes that somebody initiated an SYN scan against our asset.
The SIEM automates this process and raises alerts. Different solutions do this in different ways but produce the same results.
The Business Impact of SIEM Solution
This is one of the topics for which long-standing discussions were conducted & still now a complete & transparent solution has not yet arrived.
The question is, “Why spend a huge amount of money on something which returns nothing ?” Well, what do you think about it? Does the SIEM solution give you something? Well yes! Nowadays, SIEM solutions are evolving to protect an IT-Infrastructure and identify the business risks arising from the IT-Infrastructure.
Even a separate strategy is known as GRC, the IT-Governance Risk & Compliance.
This integrates & relates technological aspects of IT security (like DOS attacks) using SIEM solutions with the business aspect(the asset being attacked & approximate loss, reporting to the asset manager).
Such strategies bring different departments & professionals(like SOC Operators/Managers, CISOs, Financial Consultants, CXOs etc) under one dashboard.
This is done by integrating different solutions. E.g.: The Alerts & incidents from SIEM are forwarded BPM(Business Process Management) solution by the CISO, identifying & co-relating the technical and business impacts.
Consider a simple scenario, let’s take the same DDOS attack against an e-banking website(webserver).
The solution first identifies the attack, and the Operators/Analysts report it to their manager/CISOs. The managers & CISOs dig for more technical info on the nature of the attack(specs like Source country, no of sessions, etc).
Based on this, they identify how much loss would be if the web server were down for a specific time(say 30mins).
Now they report the technical details, suggestions, and steps to initiate to the firewall/IDS-IPS & webserver teams. Then they report to the Senior Management & Financial Managers about the loss they would suffer if action is not taken.
If management is satisfied, they make a decision & approve the Firewall/IDS-IPS & webserver teams to take action.
They would take action, and the web server would have downtime for 5 minutes only. So the webserver resources are saved, but ultimately money is also saved & customer satisfaction is sustained.
To learn more about DDoS attacks, check out 101domain’s helpful article on Best Practices For Protecting Against DDoS Attacks.
So the point here is nowadays, SIEM solutions can adapt according to your preference. This whole process described can be automated by integrating different solutions.
The above scenario is simple, but the approach is the same in all situations. Money matters, but sadly nobody still recognizes the financial impact of IT-Security.
SIEM & Compliance
Besides alerting and incident response, SIEM helps an organization in Compliance & Regulatory matters too. For all major compliance like ISO 27001, HIPAA, PCI, log retention is an essential criterion.
For example, in ISO27001, there is a control for Logging & Monitoring(A – 12.4), which suggests that all Event Logs, user activities, and security events should be logged and archived with a proper time-stamp.
The logs should also be protected from unauthorized access, tampering, etc. There is a list of controls to be in place to be properly compliant. Here SIEM can help. As said earlier, the Siem tool collects logs from different devices and keeps them in its reserves.
So it can act as a centralized log-collecting server. Plus, the tool keeps all the logs with proper time stamps and archives them in bulk storage without losing integrity. So this helps with the controls in various standards.
Conclusion
To wrap up, there are a whole lot of benefits to implementing a SIEM solution in an Enterprise. But sadly, many organizations consider the SIEM a waste of money.
But, it is because they do not realize the fact that SIEM can protect not only your network & assets but also your business.
Plus, nowadays, you can integrate almost anything into the SIEM tool like servers, custom applications, network devices, end-user devices, smartphones, management & collaboration solutions, etc.
This gives the concerned personnel a clear view of the insights of their organization.
They can have an overview of their system and keep on changing it for better results. Even some sites have malware analysis capabilities and vulnerability assessment functionalities, making it a centralized security server providing multiple functions simultaneously.
Please consider following and supporting us to stay updated with the latest information.