What is a SIEM Solution and how does it Work?
Comprehensive security beings with a Securtiy Incident and Event Management (SIEM) solution.
The SIEM is the single most useful technical application of security for your IT infrastructure, and in this article, we will discuss how the SIEM solution works.
Read about how the SIEM solution will give you a visual representation of security events occurring on your IT infrastructure and how new functions in modern SIEM solutions can help you track user behavior and automate incident response from the central dashboard.
SIEM Giving a Visual Landscape to a Complex Infrastructure
If you asked 100 different people what cybersecurtiy is, you might just get 100 different answers.
To be fair a question of the sort is not that straightforward and the discipline of cybersecurity is broad and hosts many varying disciplines and technologies.
However, there is a general understanding of what makes up a cybersecurity product. You may hear things like firewalls or anti-virus, but this is a very simple example of cybersecurity technologies.
In a complex IT infrastructure, a business may be managing hundreds or thousands of endpoints, ranging from servers to personal laptops to wifi printers. Each of these endpoints will comprise your IT infrastructure and many might have a unique security process or technology behind them.
You can begin to see why managing the security of such an operation might require a more comprehensive solution, and this is where SIEM software comes in.
In its first rendition, a SIEM solution aggregated all the security information, or logs, from your devices and protection measures in your information system to one centralized dashboard.
The SIEM collects logs from other software such as firewalls or anti-virus and displays them to your security team so they can take action when needed. This also means that the analyst does not need to go to each individual security system to collect logs
In the following section, we will explore the next evolution of the SIEM which added two very important features that changed the way security teams interacted with their systems.
SIEM Evolution: UEBA and SOAR
User and Entity Behaviour Analytics (UEBA): perhaps one of the most important additions to next-gen SIEM solutions was the UEBA feature. This feature allows SIEMs to track user behavior on the system. It would track things like:
- Login behavior, i.e. what days a user logs in, the time, etc.
- Working habits, programs used the time spent idle, etc.
- Privilege leveled access and password changes
The SIEM can then aggregate this behavior and essentially create a profile on the user. This profile can then be used to see what behavior would be considered normal for this particular user.
This happens to be incredibly useful because it allows SIEMs to account for what once may have seemed like an unknown variable, that being the user itself. And with this tracking, it is possible to see when a user behaves “abnormally.”
For example, this abnormal behavior may manifest as a login attempt that is outside the usual login time for that user (i.e. during working hours). This could allow the SIEM to then flag the behavior as unusual and the analyst can investigate to find out if there is a reason for concern.
Security Orchestration Automation and Response (SOAR): the SOAR feature within a SIEM solution makes it easier for analysts to react to a situation. The log information collected by a SIEM made it possible to detect events from a centralized hub.
However, action could not be taken from the centralized hub and team members would still have to go to the localized system to take corrective action such as restricting access or blocking access from certain links (in the case of phishing).
SOAR changes that and makes it possible for the analysts to take corrective action directly from the SIEM dashboard.
For example, if malware was found on an endpoint before the introduction of SOAR, the analyst would have to go to the infected device and quarantine it manually while trying to figure out the source.
With the SOAR addition, all of that action can be done via the SIEM solution and automatically. If the SIEM has flagged a potential breach event, the SOAR kicks in and will automatically quarantine the affected device and begin scanning for the potential source.
The analyst will not need to login into the infected endpoint, it can be done via the SIEM. In the same scenario, the UEBA will also be able to detect that the malware may have come from a phishing link.
The analyst can then ensure that all links to that email are blocked via the SOAR feature of the SIEM.
SIEM Use Cases
SIEM solutions have many use cases across industries, most follow a similar structure with a few exceptions depending on the industry it is servicing.
In the following sections, we have outlined some scenarios where a SIEM can help you reduce inputs in your overall cybersecurity architecture.
Security Operation Centers
Perhaps the area in which SIEMs are used the most is in Securtiy Operations Centers (SOC). In fact, the SIEM is often the foundational element of a SOC.
SOCs are an excellent way to integrate security into your organization at a reduced cost. Many SOCs nowadays operate within a service model.
This model makes it possible for organizations of any size to reap the benefits of a strong cyber defense.
Essentially, a SOC’s whole purpose is to be able to detect, identify, track, and prevent cyber attacks. And this function is made possible with the use of a SIEM solution.
A SIEM is also a great way to demonstrate compliance with various regulations such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA).
Both of the above-mentioned regulations require the security of data processing and storage, which in the case of the GDPR remains the most quoted reason for fines.
Insecure data storage and processing is made much easier with the use of SIEM solutions and will be more than sufficient in satisfying the requirements of a wide array of regulations and voluntary frameworks.
However, as we will see in the next section the more advanced use cases of a SIEM solution is in the use of proactive cyber defense.
Threat Detection and Management
One of the more advanced use cases of a SIEM solution is in threat detection. Threat detection is much more proactive use of a SIEM system, especially with the integration of UEBA in modern SIEMs.
With the UEBA it is possible to analyze the data to find insider threats or even zero-day detection.
Zero-day vulnerabilities are exploits that are not discovered by any of the security personnel on the rollout day of the new software. Hackers will often take advantage of zero-day exploits because they are usually the first ones to find them.
However, with UEBA it is possible to detect malicious behavior within a user that could indicate the exploitation of a zero-day exploit.
Combining the power of SOAR and UEBA it is possible for the SIEM to proactively managed security by consistently scanning for vulnerabilities and patching problems as they arise.
Continue the Conversation!
Connor is a privacy and information security risk subject matter expert with four years of experience.
I help organizations in data-driven industries reduce privacy GRC costs through concise and easy-to-understand data privacy compliance strategies, audits, and strategies (I also love to write about it!).
I always welcome more discussion and would love to hear directly from you, the reader!
Connect with me on Linkedin, or feel free to message me directly on medium.