What is a SIEM?
Systems of this class have been with us for more than a decade, and it would seem that everything has already been said about them, we know them well and know what their real capabilities are… The question is, is this really the case?
And if you’ve found this post, it means you’re most likely looking for more information about the capabilities offered by managed siem nowadays. Therefore, we invite you to read a series of articles in which we will discuss the most important features and elements to consider when choosing a specific product, as well as try to describe some situations from real-world implementations.
What does SIEM mean, and what are its benefits?
SIEM is an abbreviation of Security Information and Event Management, and according to the definition: by collecting and further processing information and events in the field of IT security, it supports the following processes
- threat detection
- testing for compliance with regulatory requirements
- security incident management
The above definition is correct, of course, but it is so general that it is questionable whether it is convincing enough to make anyone interested in a SIEM system. After all, there are many other technologies available that can perform similar tasks… So, what’s so special about SIEM?
The first task of SIEM systems is to collect data in one place (including, but not limited to, logs and network flows) from selected elements of the ICT infrastructure, including, but not limited to, devices, systems, or servers that provide services such as AD, DNS, DHCP, FW, IPS, VPN, AV, and many others. How can this be useful? Let’s imagine a situation where we have a security incident, so there is a need to analyze the logs of the systems running in our infrastructure—without a SIEM or a log management class solution, this process will take a very long time, and it will be even more difficult to switch between many systems. In addition, if the incident occurred even in the recent past, there is of course a risk that the information we are looking for has already been overwritten in the original systems…
The ability to analyze events from many sources, at one time and in one place.
Thus, one of the first advantages of SIEM systems is the ability to get a bird’s eye view of our infrastructure. Collecting logs in one place means that we can get the information we are interested in a very short time, even if they relate to many points in our infrastructure, and the disk resources of the SIEM system and the data compression mechanisms used will ensure very long storage periods.
The only question that arises is what is the advantage of SIEM systems over Log Management systems since they also provide the ability to store logs in one centralized location. In fact, the main feature and task of SIEM systems is event correlation, i.e. the ability to automatically and continuously capture the relationship between information coming from many points in our infrastructure.
Provide mechanisms for archiving logs from important or critical systems
The managed SIEM via the Underdefense system allows you to define disk pools for different types of sources and assign them different retention levels—this feature allows you to separate the space and retention of raw working server logs from workstations or even servers that are included in the test environment.
Another important feature of SIEM systems is the ability to initiate almost any response as a result of an observed incident.
Provide mechanisms for correlating logs from different systems
Suppose we need to find information about the list of accounts involved in an incident as soon as possible: at least 10 failed login attempts from at least 3 different IP addresses, followed by successful logins within 1 day, all for logs from the last 3 months—how long would it take an administrator to find this information? Of course, I’m omitting the fact that he has much more interesting and important work to do during this time. In addition, such an event should be reported as soon as possible, preferably the moment it occurs…
In such situations, SIEM systems come to our aid, and the figure below shows a correlation rule that implements the above assumption. This rule was built in the managed siem via the Underdefense system—the rule correlation wizard used in it uses sets of filters and logical gates, making the process of creating rules very clear and intuitive.
The correlation rule above can be used to search all logs available in the system, it can also work for new data that just come into the system and notify the specified people on an ongoing basis if there are events that meet the conditions described in the rule.
Central command point for security devices (API)
Managed siem via Underdefense allows you to run a predefined script and pass specified arguments to it from a reminder or log. With this feature, the SIEM operator can initiate an action in another security system directly from the SIEM console—for example, they can add a selected IP address to the blocked list, change the configuration policy of a selected product on a workstation, or run a vulnerability scan on a selected IP address—all using the remote management feature, operator scripting skills, and API functions of integrated systems responsible for other security areas.
Managed siem via Underdefense also offers native two-way integration with other products in the broad Managed siem portfolio, including:
- The management console for endpoint products
- local reputation database
- Active Response (class-leading EDR system)
- Advanced Threat Protection (sandbox)
- Network security platform (network IPS)
Other important features of SIEM systems focus on functions that help meet the requirements described in regulations, such as the need to keep logs for a certain period of time.
Most standards and norms, such as HIPAA, SOX, and GDPR require organizations to meet a number of requirements for security controls. Log collection, 24/7 monitoring, early warning. From the above descriptions, it is clear that SIEM systems provide all of these things. That’s why they are becoming the industry standard and are being deployed in every major IT environment focused on security.