Welcome to Security Information and Event Management (SIEM). A search for “SIEM” may have brought you here, or your interest in Angkor Wat, located in the Siem Reap province of Cambodia. I’m going to assume the former, and hope I don’t lose you to Internet searches of the incredible Angkor Wat. Should you stay on the site, or if you’re back, thanks for visiting. We’re going to be discussing everything SIEM-related, from what it is, how to implement and manage it, use cases, to maximizing the return on investment the technology can provide your organization.
SIEM is a necessary tool for many organizations in today’s cyber security landscape. However, if not designed, implemented, and managed correctly, it can be a significant strain on your organization, and can even reduce your security posture. Many years into the advent of SIEM, many still misunderstand the technology and thus have difficultly managing it. There’s a reason I’ve heard some SIEM projects being coined as “The project from hell,” and not simply because a SIEM can take years to fully implement.
Before we dive into the details, here’s a thousand foot view of SIEM:
1. Security Information and Event Management (SIEM) is a log collection and analytics technology that collects log data from your various systems (firewalls, servers, etc), stores it, makes it available for searching and reporting, and can perform analytics on that data.
2. The three main drivers for SIEM are security analytics, a centralized log repository and search platform, and compliance. Your log data can provide tremendous visibility into what’s going on in your network, and a SIEM gives you that capability. In today’s cyber security world, organizations need a centralized repository of security, and as well infrastructure data, and a SIEM is an excellent tool to provide that. And finally, many compliance teams, especially at large organizations, mandate that a SIEM be implemented and actively managed for the previous two drivers.
3. If implemented and maintained properly, SIEM can add another valuable layer of security to your organization.
4. SIEM is not an IPS or advanced threat/malware detection tool, despite that it has the capability to detect malware or threats in real-time.
5. While SIEM provides security analytics capabilities, its ability to detect active threats/attacks in your environment is very limited. Its capabilities are mapped to the types of data you put into it (garbage in, garbage out).
6. SIEM can give you excellent visibility into what goes on in your network, mapped to the data sources integrated.
7. SIEM should not be used as a long-term security control where more effective controls exist. Instead of spending time and resources to develop use cases to monitor the gap, you should focus efforts to remediate the gap at the source. If employees can access anything on the Internet, you should consider blocking access to particular sources instead of monitoring when employees visit them and then determine if anything suspicious was downloaded. If employees can insert an USB key without any restrictions, you should consider updating your USB policy to restrict usage and thus not possible to execute malicious files on the USB key an employee found on the floor and inserted into his or her laptop.
8. SIEM is very valuable, but its value is very limited (just like all your other security products).
9. SIEM is more difficult to manage than most of your other security products.
10. SIEM requires extensive customization and manual effort to maintain.
11. SIEM environments can be expensive, and it’s very easy to poorly invest in a SIEM.
The SIEM section of the site is organized into the following categories. Within each section you’ll find a series of related articles. If you’re new to SIEM the Overview section is a good place to start for an introduction to log data and SIEM.