What is SIEM

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

The NIST SP 800–92 Guide to Computer Security Log Management, issued in September 2006, is a fundamental document in the NIST Risk Management Framework. It outlines what should be auditable in computer security, although it doesn’t cover all modern technologies as it was created before the widespread use of modern SIEM (Security Information and Event Management) solutions.

NIST SP 800–53 AU-2 Event Monitoring is a key security control that ensures logging functionality supports auditing across a system, serving as a foundation for continuous monitoring and cybersecurity efforts. This control is crucial for federal systems, with specific requirements tailored to the system’s impact on confidentiality, integrity, and availability (CIA).

The document specifies five requirements (AU-2 a-e), providing guidelines for organizations to:

a. Identify the types of events the system can log.
b. Coordinate logging with other entities needing audit-related information.
c. Specify event types for logging within the system.
d. Provide a rationale for the selected event types.
e. Review and update the event types chosen for logging.

Events that could be logged include credential changes, failed access attempts, and role-based account modifications. While logging every action is possible, it’s usually impractical due to the volume of logs. Organizations can use AU-2 as a basis while adhering to other controls requiring specific security auditing.

NIST SP 800–53 SI-4 System Monitoring complements AU-2 by specifying system monitoring requirements. This includes detecting attacks, unauthorized connections, and unauthorized system use, among other aspects.

NIST SP 800–53 RA-10 Threat Hunting, introduced in Revision 5, focuses on proactive defense by actively seeking threats within organizational systems. This control emphasizes establishing and maintaining a capability to search for indicators of compromise and to disrupt threats that evade existing controls.

Together, these controls, along with others outlined by NIST, form an in-depth defense system. SIEM solutions often play a central role in gathering and analyzing security-related data. They enable cybersecurity teams to conduct risk assessments and continuous monitoring effectively.

Overall, these controls highlight the importance of event monitoring, alerting, and auditing in cybersecurity, especially when integrated with SIEM solutions.

SIEM, or Security Information and Event Management, offers several key capabilities and components crucial for effective cybersecurity:

Capabilities:

1. Data Aggregation: SIEM systems collect data from various sources like networks, servers, databases, and applications. This aggregation prevents crucial events from being missed.

2. Correlation: SIEM tools look for common attributes and link events together, making sense of disparate data sources. This helps in understanding the broader context of security incidents.

3. Alerting: Automated analysis of correlated events triggers alerts, notifying security teams of potential threats or anomalies.

4. Dashboards: SIEM platforms visualize event data through charts and graphs, aiding in pattern recognition and anomaly detection.

5. Compliance: SIEM applications automate compliance data gathering, generating reports aligned with security, governance, and auditing requirements.

6. Retention: Long-term storage of historical data enables correlation over time and satisfies compliance needs. This is critical for forensic investigations, as breaches are often detected after they occur.

7. Forensic Analysis: SIEM systems facilitate searching across logs from different sources and time periods based on specific criteria. This streamlines the process of finding relevant information amidst vast volumes of data.

Components:

Basic SIEM Infrastructure:

1. Data Collector: Gathers selected audit logs from various hosts. This can be agent-based or involve host-based log streaming into an index and aggregation point.

2. Ingest and Indexing Point:Aggregates, parses, correlates, and normalizes data. It serves as a central hub for processing incoming logs.

3. Search Node: Enables visualization, queries, reports, and alerts. Analysis takes place on the search node, providing insights into security events.

This basic infrastructure forms the backbone of a SIEM system, although specific architectures may vary among vendors.