SIEM

System Information Event Management (SIEM) technology is the backbone to any security operations, capable of meeting compliance needs as well as identifying and addressing cyber attacks with threat detection capabilities. It is intended to be a single pane of glass for all of your organizations assets logs for the purpose of security monitoring and auditing.

LogRhythm SIEM Dashboard

A SIEM’s primary use case is logging and log management, however, enterprises use their SIEM for other purposes. Other examples of their use are; compliance for regulations like HIPAA, PCI, SOX, and GDPR, data management, data storage & budgeting, and more.

SIEM Vendors

There are many vendors of SIEM technologies with each having their own advantages and disadvantages. Some of the more popular technologies on the market are Splunk, LogRhythm and QRadar with others emerging as fierce competitors in the market such as Microsoft’s Azure Sentinel.

The following is a list of some of the more well known SIEM vendors;

Magic Quadrant for SIEM – February 2020

SIEM Capabilities

SIEMs have many capabilities, for example, Gartner identifies the top three critical capabilities for a SIEM as threat detection, investigation and time to respond, with other features as;

  • Log Collection, Normalization, & Metadata Extraction
  • Incident Response and Forensics Investigation
  • Automated Threat Response
  • Notifications, Reports, & Alerts
  • Security Incident Monitoring & Detection

How SIEM Works

SIEMs usually work by installing a collector agent on an endpoint you wish to monitor that allows logs to forward to a syslog server or some data collector. The SIEM will then take that information, normalize, index, and store it in an archive, with some period for live log lookup retention, while compressing and archive older logs to save space.

Analysts and administrators than work to maintain the deployment by tuning use cases, adding/removing log sources, monitoring for operational and security incidents, and using the platform to conduct threat hunts and other activities.

Below are some examples of two popular SIEM technologies , LogRhythm and Splunk, with an illustration of their infrastructure.

Example of LogRhythm SIEM Infrastructure
Example of Splunk SIEM Infrastructure for Windows

SANS “Top 20” Critical Controls for Effective Cyber Defense

SIEMs play a large part in the security of organizations and must undergo strenuous evaluation of their security control mechanisms.

The CIS Critical Security Controls (CSC) are a time-proven, prioritized, “what works” list of 20 controls that can be used to minimize security risks to enterprise systems and the critical data they maintain.

Businesses can use these controls to measure the effectiveness of the SIEM solution. Below are the Top 20 controls and their description that should be considered by any organization wishing to pursue a SIEM technology.

Control Description
Inventory of Authorized and Unauthorized DevicesThe processes and tools used to track/control/ prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network.
Inventory of Authorized and Unauthorized SoftwareThe processes and tools organizations use to track/control/prevent/correct installation and execution of software on computers based on an asset inventory of approved software.
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersThe processes and tools organizations use to track/control/prevent/correct security weaknesses in the configurations of the hardware and software of mobile devices, laptops, workstations, and servers based on a formal configuration management and change control process.
Continuous Vulnerability Assessment and RemediationThe processes and tools used to detect/ prevent/correct security vulnerabilities in the configurations of devices that are listed and approved in the asset inventory database
Malware DefensesThe processes and tools used to detect/prevent/correct installation and execution of malicious software on all devices.
Application Software SecurityThe processes and tools organizations use to detect/prevent/correct security weaknesses in the development and acquisition of software applications.
Wireless Device ControlThe processes and tools used to track/control/ prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.
Data Recovery CapabilityThe processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
Security Skills Assessment and Appropriate Training to Fill GapsThe process and tools to make sure an organization understands the technical skill gaps within its workforce, including an integrated plan to fill the gaps through policy, training, and awareness.
Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesThe processes and tools used to track/control/ prevent/correct security weaknesses in the configurations in network devices such as firewalls, routers, and switches based on formal configuration management and change control processes.
Limitation and Control of Network Ports, Protocols, and ServicesThe processes and tools used to track/control/ prevent/correct use of ports, protocols, and services on networked devices.
Controlled Use of Administrative PrivilegesThe processes and tools used to track/control/
prevent/correct the use, assignment, and
configuration of administrative privileges on
computers, networks, and applications.
Boundary DefenseThe processes and tools used to detect/prevent/ correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
Maintenance, Monitoring, and Analysis of Audit LogsThe processes and tools used to detect/prevent/ correct the use of systems and information based on audit logs of events that are considered significant or could impact the security of an organization
Controlled Access Based on the Need to KnowThe processes and tools used to track/control/ prevent/correct secure access to information according to the formal determination of which persons, computers, and applications have a need and right to access information based on an approved classification
Account Monitoring and ControlThe processes and tools used to track/control/ prevent/correct the use of system and application accounts.
Data Loss PreventionThe processes and tools used to track/control/ prevent/correct data transmission and storage, based on the data’s content and associated classification.
Incident Response and ManagementThe process and tools to make sure an organization has a properly tested plan with appropriate trained resources for dealing with any adverse events or threats of adverse events
Secure Network EngineeringThe process and tools used to build, update, and validate a network infrastructure that can properly withstand attacks from advanced threats.
Penetration Tests and Red Team ExercisesThe process and tools used to simulate attacks against a network to validate the overall security of an organization

For reference, take a look at the following two Critical Security Controls evaluations for Splunk and LogRhythm to see how they address each control and how they compare.

More on SIEMs

Last Updated for Accuracy: July 27, 2020.