i Security information and event management(SIEM) part one – All things in moderation

Security information and event management(SIEM) part one

SIEM Overview

SIEM (security information and event management) software products and services combine security information management(SIM) and security event management(SEM). The provide real-time analysis of security alerts generated by applications and network hardware.

Keys of SIEM
* A “SIEM” is defined as a group of complex technologies that together provide a bird’s-eye view into an infrastructure.
* It provides centralized security event management.
* It provides correclation and normalization for context and alerting.
* It provides reporting on all ingested data.
* It can take in data from virtually any vendor or in-housre applications.

A key focus is to monitor and help manage user and service privileges, directory services and other system-configuration changes; as well as providing log auditing and review and incident response.

SIEM typical architecture

At its core, a SIEM provides:

  • Data aggergation: Log management aggregates data from many sources, including network, security, server, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.

  • Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correction techniques to integrate difference sources, in order to turn data into usefull information. Correction is typically a function of the Security Event Management portion of a full SIEM solution.

  • Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channel such as email.

  • Dashboards: Tools can take event data and turn it inot informational chart to assist in seeing patterns, or identifying activity that is not forming a standard pattern.

  • Compliance: Application can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.

  • Retention: employing long-term storage of historical data to faciliate correction of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of breach occuring.

  • Forensic analysis: The ability to search across logs on different nodes and time periods based on specific cirteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.

The SIEM will gather logs and events form a heterogeneous collection of data source which can be grouped into four categories:

  1. Network devices(routers, switches, etc).
  2. Security devices(IDP/IPS, firewall, etc).
  3. Server(Web, maill, etc).
  4. Applications

For each device, a collector will be used to gather and normalize its information before forwarding the logs to the central engine – the heart of the SIEM where correlations and analyses take place. Finally, the logs will be stored in a database for a certain amount of time depending on the organization’s retention policy. The typical architecture describled above can be depicted as follows:

Depending on the SIEM vendor, the term “collector” can be changed to “agent” or “connector.” Some vendors also offer “smart connectors” which automatically detect the type of device they are connected to, simply by recognizing the logs they receive. To remain as generic as possible, we will keep the term “collector.”


  • Deploying a SIEM solution can be quite complex and expensive: the price of appliances, the time for configuration and turning, and the expertise required for daily use/maintenance can discourage customers.
    After purchase and deployment, the recurrent question is “now what do we do?” and enterprises tend to answer by using a “monitor-and-respond strategy” By using the SIEM in a signature-based defense approach, the security team (or the security operation center [SOC] team) will monitor activities and regularly update the security devices with signatures of known threats.

Upon detection, the team will investigate the alert, escalate it to the Incident Response(IR) team for remediation if they cannot resolve the issue directly themselves and finally report to the board. This overall process can take quite some time, and “time is money”, especially when it comes to security.

This artilce is answer for question “What is SIEM?”, hope you guys get what you needs.

Tags: ,

Leave a Reply