the winxnet blog Blog Header Image

What is Security Information & Event Management (SIEM) And Why Do I Need It?

Posted on 2/25/2014 2:18:55 PM by Jason Lenardson
Category: Security & Compliance



What is Security Information & Event Management (SIEM) And Why Do I Need It?

Are you tasked with improving the security and compliance at your organization?  The learning curve can be daunting.  There is an alphabet soup of technologies out there and many pitfalls to avoid.

From a system maturity perspective, network security systems have been refined over successive generations with each new generation providing substantially better functionality.

 

Generation

Tool Type

1st Generation (Log Mgmt. Only)

Security Information Management (SIM)

2nd Generation (Real Time Event Mgmt.)

Security Event Management (SEM)

3rd Generation (Real Time Log and Event Mgmt.)

Security Information & Event Management (SIEM)

4th Generation (3rd Gen plus event correlation and compliance reporting)

Unified Security Management (USM) / Unified Threat Management (UTM)

 

Early versions of security tools focused on Security Information Management (SIM). These tools essentially gathered logs from servers, applications and network devices so that they could be stored, analyzed and reported on.  This was very labor intensive and rear view focused. 

Next came Security Event Management (SEM) which introduced real-time alerting, notification workflow, and event correlation that took into account additional data sources, such as live network traffic.

  • Later tools combined the log management capabilities of SIM with the real time alerting and event correlation of SEM.  This created a new product set called Security Information & Event Management (SIEM, often pronounced as “seam”).  SIEM solutions provided much needed insight into the unseen activity occurring on networks. However, they still left many holes in the field of vision for those responsible for managing the security of networks.  Frequently these holes included the following: Network traffic analysis and inspection
  • Confirmation of appropriate security patch levels for the entire infrastructure
  • Wireless network security
  • Vulnerability scanning
  • Testing for weak passwords, known exploits and poorly performing anti-virus solutions.
  • Reports for compliance and audit purposes was a time consuming manual job.

As a result, security experts had to rely on a disparate suite of tools to capture the missing information.

The next generation of security tools is referred to as Unified Security Management (USM).  USM combines all the best aspects of SIEM with a modular system to manage security across the entire organization.  This provides a single consolidated view of all security events and offers much deeper correlation across all the events coming from various data sources.  This improvement has resolved one of the biggest nagging problems of SIEM – information overload, where the system would produce too much information for the human operator to process reliably.  Improved event correlation means that more events are tracked, with significantly fewer false positives.  This translates into reduced staff time because the team is hunting down fewer non-issues.

The short answer to “Do I need a SIEM?” is – Yes.  A properly managed 4th generation SIEM is the best, most cost-effective way to defend against a security breach.    Additionally, if your business must comply with HIPAA, GLBA, or PCI then you are essentially required to have a SIEM in place.  It is possible to create a manual or custom process that meets the requirements, but the manual labor involved will more than double the cost of investing in a SIEM.  Ultimately, a good SIEM provides clarity to management regarding your IT department’s process for system maintenance and security.  More importantly, the latest generation SIEM’s can provide real-time notification of security issues to empower your team to respond faster to the most recently published exploits or to actual system breaches.       

When it comes to selecting a SIEM, the tendency is to just do a little research and pick one that is highly-rated. However, it isn’t just about the SIEM itself.  I compare buying products like this with buying running shoes.  Everyone knows that buying the best and most expensive pair of running shoes won’t turn you into a marathon runner.  It requires commitment and real work. It’s similar for tools like SIEMs.   Purchasing the best one does not guarantee you any more security.  In fact, I have seen many instances where well respected SIEMs were providing almost no value because they were misconfigured or not managed at all after the initial installation.  When it comes to SIEMs, the real value is in the expertise of the individual or group that configures and manages the tool.  So I would recommend that you focus more on making sure you have the right team in place to configure and manage whatever SIEM technology you choose. There are three ways to do this: (1) bring in or identify an existing in-house SIEM expert (2) hire a third party expert to configure the system and train an existing in-house resource to manage it (3) outsource it to a firm that specializes in Managed Security Services.