What is Security Information and Event Management (SIEM)?
SIEM stands for Security Information and Event Management. It is a combination of tools that are put together to work in such a way that it collects logs and monitor different applications, servers, domain controllers and network devices.
Then do real-time analysis on that logs to filter the logs according to their nature. SIEM stores all the logs and then apply analytics to that raw data to discover trends, threats, and create alerts that enable the organizations to further investigate those threats and take action accordingly.
If the SIEM solution is implemented effectively in the organization it gives the organization complete visibility over their complete network. This helps administrators, SIEM operators to constantly monitor network activities on their internal and external infrastructure that is exposed to the internet.
As told it is a combination of different software packages that come together under a single umbrella. Some packages are Log Management to Security Log, Event Management, Security Information Management, and Event correlation.
The SIEM tool can generate alerts & incidents based on specific co-relation rules. For eg: If a Port Scan is initiated against a system, the SIEM generates a Port Scan Alert with all details like Source & Destination, port numbers, etc. This helps the organization to find incidents or hacking attempts in near-real-time.
As we all know that nothing is a complete solution for anything the topic of Cyber Security and nothing is completely secure, same is the case with SIEM solutions. Most of the times when an attack happens there is no clear picture that tells on the surface that is a cyber attack. To detect this kind of threats it is more efficient to look at the logs and use them to analyze for attacks.
Most security programs operate on a micro-scale, addressing smaller threats but missing the bigger picture of cyber threats. An Intrusion Detection System (IDS) can only look at the network traffic and look at the IP addresses and packets. Similarly, your service logs only show user sessions and configuration changes. SIEM puts these systems and others like it together to provide a complete overview of any security incident through real-time monitoring and the analysis of event logs.
Also Read: Understanding Linux File System
How Does SIEM Work?
Let’s look at the main functionality of a SIEM solution and how it works:
- Log Collection
- Converting them to a standardized format
- Analyzing the logs and creating specific alerts
- Security Incident Detection
- Incident Response
Now that we know how a SIEM solution works let’s get a bit more understanding of how it works. The whole idea of how this works can be summed up in a single word “Co-Relation”. At its core what SIEM does is collect data from different sources within the organization, stores them and change the raw logs in to a standard format and at the end present them in a human-readable format.
But how all of this is done is thanks to “Co-Relation” as it collects logs from all the devices present in the organization’s infrastructure. With the collected data, the tool provides an insight into what is happening in the network. It provides data on every single event and acts as the centralized security monitoring system.
All that data is analyzed using several “Rule-Sets” that are defined by the organization, SIEM solution does also come with several rule-set by default that covers most of the security level activities. All this is done by the tool by correlating the logs with the predefined rule-set so identify abnormalities within the network.
For example, let’s take a rule that detects the number of invalid login attempts in a computer. A user is trying to login to their computer but the first 4 attempts are using invalid password and on the 5 attempt the user logs in successfully.
Now, this is logged in to the SIEM and an alert is generated that there is an incident of x number of invalid login attempts on this system. Now there can be many possibilities to this, maybe it is a kind of Brute force attack another user us trying to guess the password for this system. Or maybe if the user forgot his password but got it right at the end and so on. This is where co-relation comes in.
For such a case, a co-relation rule can be made in such a way that, If an authentication failure event is happening 3 times consecutively followed by success in a specific period, then alert pops up. This can be further investigated by analyzing the logs from the respective machines. So my definition of co-relation is: “It is the rule which aggregates events into an incident which is defined by specific application or scenario.”
So the, in short, the whole idea of a SIEM Solution is build upon rules and logs co-relating with each other to create an incident.
Logs without rules are of no use in identifying a thread and rules without proper log management can’t help you in identifying the thread and then taking necessary action for its mitigation.
In many modern SIEM systems, an active response system is built in that automatically stops an attack to which the system is familiar with this is called Active-Response that is triggered on certain rules.
If you want to check the available rules you can take a look at OSSEC Ruleset which is an Open Source project for SIEM system.
How Logs are collected and sent to SIEM?
There are mainly two different ways using which logs are transferred from the devices to the SIEM. Agent-based and Agentless, in the agent-based approach, a small piece of software is installed on the end-user or clients machines it then collects the logs and forwards them to the SIEM. And in the agentless approach, the client system sends logs on its own using the services like Syslog or Windows Event Collector service, etc.
Both approaches are used in different scenarios like in most of the cases on the client devices like computers, laptops, web servers, etc agent-based implementation is used to forward the logs to SIEM and in devices like switches, routers, firewalls, etc agentless implementation is used to forward the logs to the SIEM.
Also Read: 5 Reasons to Choose Linux Mint Over Ubuntu
How Alerts are Generated by SIEM?
Now, that we know that all the logs from different devices are sent into the SIEM let’s take an example the there is a web server running a PHP based application and some attacker is trying to do SQL Injection attack in that application, in this case, the webserver will create unusual logs containing requests that are being sent to the server and the parameter values.
Analyzing the logs it will be clear that there has been a lot of SQL Database error that is occurring on the webserver and the requests that are causing these are coming from the following source IP.
Using this information it can be concluded that someone is trying Web application attacks on the application server the SIEM will then automate the process and raise the alerts.
This is how alerts are listed in the SIEM this may be very for other SIEM solutions as they might have a different way of representing the alerts on their system.
What is the need for SIEM?
Over the years SIEM solutions have become a core security component of modern organizations. The main reason is that every user of tracker leaves a virtual trail in the network’s log data. SIEM solutions are designed in a way that they provide you insight into past attacks and event using that log data. So SIEM solution not only identifies the attack but also how it happened and why it happened.
As an organization is growing and upscaling their infrastructure which results in complex IT infrastructure, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.
This problem is solved by the SIEM by detecting attack activity and comparing that with the past behavior of the network. As a SIEM solution matures in the organization it has the ability to differentiate between legitimate and malicious attack.
Which helps to increase a system’s incident protection and avoid any possible damage to the digital property.
As nowadays many organizations are required to be compliant to certain IT standards in order to run their business which can be done by Log Management which is an industry-standard for IT auditing activities. Modren SIEM are also cable of running auditing by the compliant standards like PCI DSS, GDPR, etc.
Business Impact of SIEM?
If you are familiar with SIEM solution you know that they are ridiculously pricey and it rises a question that is it really worth to spend that kind of money on a solution that is not giving anything in return?
It not completely true that SIEM solution doesn’t give you anything in return nowadays SIEM solution is evolving that they not only protect your IT infrastructure but also identify business risk that might occur due to IT-infrastructure.
This is a separate strategy of IT Risk and Governance Compliance. This integrates and relates the technological aspects of IT-security. Like SIEM can be used to identify the business risk that if a financial application is under an attack and becomes unavailable for some period let’s say for an hour what business impact can it cause financially to the organization.
Then that information of technical details are sent to the senior management that in case of an attack this application can be down for 1 hour then the senior management can conduct meeting with the business and risk management teams and then they decide if that can cause a financial loss to the organization how the prevention that can be taken by the IT team to prevent this from happening like implementing new and improved firewalls or something else.
Just to wrap it up, there are a lot of benefits that can be availed by implementing a SIEM solution in an Enterprise. But still, there are many organizations that consider SIEM a wast of money until they are hit by an attack.
This is mostly because of lack of awareness and the fact that we don’t want to take preventions if nothing happens we think if our work is going smoothly then nothing will happen and when some mishap finally happens then we think that we should probably do something about it.