A safety, incident and occasion administration system collects, centralizes and analyzes knowledge from throughout the IT atmosphere to uncover cybersecurity and operational issues.
As with so many previously distinct and well-defined cybersecurity techniques, “SIEM” is now as typically a set of options as it’s a separate services or products. Within the present period of class drift and instrument convergence, an prolonged detection and response (XDR) platform would possibly embrace SIEM options, a SIEM providing would possibly embrace consumer and entity conduct analytics (UEBA) and so forth.
Whether or not in a standalone product or as a part of a broader providing, enterprises proceed to depend on SIEM performance. High SIEM use instances span cybersecurity and IT ops and embrace log administration, assault detection, occasion detection, occasion forensics and cybersecurity posture administration.
1. Log administration
That is job No. 1 for a SIEM. Along with serving because the vacation spot for logs from core safety techniques corresponding to firewalls and intrusion detection and safety techniques, SIEMs additionally mixture and normalize streams from extra far-flung knowledge sources, corresponding to endpoint detection and response and XDR techniques. A centralized repository for safety occasion log knowledge is helpful for monitoring, evaluation and compliance functions.
SIEMs collect operational logging knowledge — e.g. efficiency knowledge on a router’s interfaces — in addition to cybersecurity logs, so they’re helpful to the NOC and IT ops workers in addition to to the SOC.
2. Assault detection
Whereas SIEMs can do lots to detect assaults on their very own, they profit from integration with UEBA techniques. UEBAs are particularly constructed to use superior behavioral analytics to the sorts of real-time exercise knowledge {that a} SIEM gives.
Notice {that a} SIEM usually doesn’t coordinate the response to an assault. That duty historically falls to a safety orchestration, automation and response system, which may additionally combine with the SIEM.
3. Occasion detection
Not all occasions are assaults. Tools failures and efficiency issues can result in occasions that present up in logs, and a SIEM can alert IT ops workers and the community operations (NOC) crew when such points happen. For instance, when a router stops reporting regular site visitors from a department workplace, the SIEM would possibly alert the NOC to the issue.
4. Forensics and root trigger evaluation
SIEMs are repositories of giant volumes of knowledge related to assaults — whether or not profitable or averted — and supply search and filter options to assist investigators tease out related data and patterns. Equally, IT ops groups looking for root causes of issues in WANs, campus networks or knowledge facilities can profit from these capabilities.
5. Cybersecurity posture administration — i.e., breach prevention
SIEM presents a view not simply into efficiency and alert knowledge but in addition system configurations, making it helpful in monitoring for coverage deviations and supporting cybersecurity posture administration. SIEMs can see and report when operating configurations differ from documented ones, whether or not due to an insider assault or regular configuration drift from ad-hoc adjustments made in the midst of drawback fixing.
John Burke is CTO and a analysis analyst at Nemertes Analysis. Burke joined Nemertes in 2005 with practically 20 years of know-how expertise. He has labored in any respect ranges of IT, together with as an end-user assist specialist, programmer, system administrator, database specialist, community administrator, community architect and techniques architect.
