System Information Event Management (SIEM) technology is the backbone to any security operations, capable of meeting compliance needs as well as identifying and addressing cyber attacks with threat detection capabilities. It is intended to be a single pane of glass for all of your organizations assets logs for the purpose of security monitoring and auditing.
A SIEM’s primary use case is logging and log management, however, enterprises use their SIEM for other purposes. Other examples of their use are; compliance for regulations like HIPAA, PCI, SOX, and GDPR, data management, data storage & budgeting, and more.
SIEM Vendors
There are many vendors of SIEM technologies with each having their own advantages and disadvantages. Some of the more popular technologies on the market are Splunk, LogRhythm and QRadar with others emerging as fierce competitors in the market such as Microsoft’s Azure Sentinel.
The following is a list of some of the more well known SIEM vendors;
- Splunk
- LogRhythm
- IBM QRadar
- Azure Sentinel
- SolarWindows
- FortiSIEM
- FireEye Helix
- RSA NetWitness
- AT&T Cybersecurity AlienVault Unified Security Management
- Elastic (ELK) Stack
SIEM Capabilities
SIEMs have many capabilities, for example, Gartner identifies the top three critical capabilities for a SIEM as threat detection, investigation and time to respond, with other features as;
- Log Collection, Normalization, & Metadata Extraction
- Incident Response and Forensics Investigation
- Automated Threat Response
- Notifications, Reports, & Alerts
- Security Incident Monitoring & Detection
How SIEM Works
SIEMs usually work by installing a collector agent on an endpoint you wish to monitor that allows logs to forward to a syslog server or some data collector. The SIEM will then take that information, normalize, index, and store it in an archive, with some period for live log lookup retention, while compressing and archive older logs to save space.
Analysts and administrators than work to maintain the deployment by tuning use cases, adding/removing log sources, monitoring for operational and security incidents, and using the platform to conduct threat hunts and other activities.
Below are some examples of two popular SIEM technologies , LogRhythm and Splunk, with an illustration of their infrastructure.
SANS “Top 20” Critical Controls for Effective Cyber Defense
SIEMs play a large part in the security of organizations and must undergo strenuous evaluation of their security control mechanisms.
The CIS Critical Security Controls (CSC) are a time-proven, prioritized, “what works” list of 20 controls that can be used to minimize security risks to enterprise systems and the critical data they maintain.
Businesses can use these controls to measure the effectiveness of the SIEM solution. Below are the Top 20 controls and their description that should be considered by any organization wishing to pursue a SIEM technology.
| Control | Description |
| Inventory of Authorized and Unauthorized Devices | The processes and tools used to track/control/ prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network. |
| Inventory of Authorized and Unauthorized Software | The processes and tools organizations use to track/control/prevent/correct installation and execution of software on computers based on an asset inventory of approved software. |
| Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers | The processes and tools organizations use to track/control/prevent/correct security weaknesses in the configurations of the hardware and software of mobile devices, laptops, workstations, and servers based on a formal configuration management and change control process. |
| Continuous Vulnerability Assessment and Remediation | The processes and tools used to detect/ prevent/correct security vulnerabilities in the configurations of devices that are listed and approved in the asset inventory database |
| Malware Defenses | The processes and tools used to detect/prevent/correct installation and execution of malicious software on all devices. |
| Application Software Security | The processes and tools organizations use to detect/prevent/correct security weaknesses in the development and acquisition of software applications. |
| Wireless Device Control | The processes and tools used to track/control/ prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems. |
| Data Recovery Capability | The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. |
| Security Skills Assessment and Appropriate Training to Fill Gaps | The process and tools to make sure an organization understands the technical skill gaps within its workforce, including an integrated plan to fill the gaps through policy, training, and awareness. |
| Secure Configurations for Network Devices such as Firewalls, Routers, and Switches | The processes and tools used to track/control/ prevent/correct security weaknesses in the configurations in network devices such as firewalls, routers, and switches based on formal configuration management and change control processes. |
| Limitation and Control of Network Ports, Protocols, and Services | The processes and tools used to track/control/ prevent/correct use of ports, protocols, and services on networked devices. |
| Controlled Use of Administrative Privileges | The processes and tools used to track/control/ prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. |
| Boundary Defense | The processes and tools used to detect/prevent/ correct the flow of information transferring networks of different trust levels with a focus on security-damaging data. |
| Maintenance, Monitoring, and Analysis of Audit Logs | The processes and tools used to detect/prevent/ correct the use of systems and information based on audit logs of events that are considered significant or could impact the security of an organization |
| Controlled Access Based on the Need to Know | The processes and tools used to track/control/ prevent/correct secure access to information according to the formal determination of which persons, computers, and applications have a need and right to access information based on an approved classification |
| Account Monitoring and Control | The processes and tools used to track/control/ prevent/correct the use of system and application accounts. |
| Data Loss Prevention | The processes and tools used to track/control/ prevent/correct data transmission and storage, based on the data’s content and associated classification. |
| Incident Response and Management | The process and tools to make sure an organization has a properly tested plan with appropriate trained resources for dealing with any adverse events or threats of adverse events |
| Secure Network Engineering | The process and tools used to build, update, and validate a network infrastructure that can properly withstand attacks from advanced threats. |
| Penetration Tests and Red Team Exercises | The process and tools used to simulate attacks against a network to validate the overall security of an organization |
For reference, take a look at the following two Critical Security Controls evaluations for Splunk and LogRhythm to see how they address each control and how they compare.
More on SIEMs
- Varonis: What is a SIEM?
- LogRhythm A Day In The Life of an Analyst
- @JayInfoSec LogRhythm Training YouTube Channel
- Splunk SIEM Solution
- Splunk for Security YouTube Channel
Last Updated for Accuracy: July 27, 2020.
Security Debriefing 