What is SIEM? How to choose the right one for your business

Security information and event management (SIEM) software uses log and event data to help track and identify breaches. Parsing event logs and monitoring security events isn’t the sexiest job in the information security world but in an industry increasingly driven by automation and AI, deep contextual data is a foundational component in a modern security stack.

A well-deployed SIEM system not only captures system events into a single searchable system, but adds value by categorizing, prioritizing, and correlating events to streamline the analysis process and float critical events to the top for instantaneous visibility and response. This visibility can be further enhanced in a mature SIEM into automatic alerts sent to response teams or even automated actions to be taken as an initial response.

How does SIEM work?

Most modern computing systems (network devices, operating systems, applications, containers, cloud services, etc.) feature event logs that contain information with varying levels of criticality. These event logs are useful for monitoring security, application performance, or even just troubleshooting a misbehaving system.

These event logs and other system data need to be exported from systems into the SIEM platform. This can be achieved by SIEM agents — programs running on various systems that analyze and export the data into the SIEM; alternately many SIEM systems offer plugins to enable direct integration with common solutions or standards-based methods to gather these logs.

Which option you take will depend on your network topography and bandwidth capabilities, as well as the types of systems you need to get logs from. The amount of data transmitted and processing power necessary at the end points can degrade the performance of your systems or network if you don’t implement things carefully; SIEM agents at the edge can relieve some of that burden by automatically parsing out some data before even sending it over the network. At any rate, you’ll want to ensure that your entire infrastructure is instrumented for SIEM, both on-prem and in the cloud.

Obviously, the amount of data generated by this SIEM instrumentation is huge, more than your staff could possibly parse through. The primary value delivered by SIEM suites is that they apply data analysis to make sure that only useful information gets delivered to your security operations center. These platforms use correlation engines to attempt to connect disparate log entries or other signals that don’t seem worrisome on their own but taken together can spell trouble. These engines, combined with the specific artificial intelligence and machine learning techniques used to sniff out attacks, are what various SIEM vendors use to differentiate their offerings from one another.

SIEM tools also draw information from threat intelligence feeds — updated feeds of data about new forms of malware and the latest advanced persistent threats. These threat intelligence feeds can enable the SIEM to identify known patterns that indicate malicious behavior. Some of these feeds are maintained by the SIEM vendors, but others are open source or internally maintained by security teams at large organizations, and some SIEM platforms allow you to use your favorites. Other customization options include the ability to tightly integrate your SIEM platform with specific security tools.

Many businesses initially embraced SIEM for its ability to aid regulatory compliance; that’s still an important role for these tools, and many platforms have built-in capabilities that are focused on ensuring and documenting your compliance with various laws and standards. And finally, some SIEM platforms also incorporate SOAR capabilities, which can partially or fully automate responses to the threats they detect.