{"id":2002,"date":"2025-02-20T06:00:00","date_gmt":"2025-02-20T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2002"},"modified":"2025-02-20T06:00:00","modified_gmt":"2025-02-20T06:00:00","slug":"what-is-siem-improving-security-posture-through-event-log-data","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2002","title":{"rendered":"What is SIEM? Improving security posture through event log data"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Introduction to SIEM<\/h2>\n

Security information and event management software (SIEM) products have been an enduring part of enterprise software ever since the category was created back in 2005 by a couple of Gartner analysts. It is an umbrella term that defines a way to manage the deluge of event log data to help monitor an enterprise\u2019s security posture and be an early warning of compromised or misbehaving applications.<\/p>\n

SIEM grew out of a culture of log management tools that have been around for decades, reworked to focus on security situations. Modern SIEM products combine both on-premises and cloud log and access data along with using various API queries to help investigate security events and drive automated mitigation and incident response. \u201cCloud and on-premises are complementary directions here, because the cloud provides for effective scaling as data needs increase, and having an on-premises offering is useful, particular for those enterprises who want to save money by managing the operational aspects of their deployments,\u201d Allie Mellen, an analyst with Forrester, tells CSO.<\/p>\n

The focus of SIEM products is to distill this vast quantity of telemetry to provide actionable and hopefully timely security insights. As the number of alerts increases, these products need to weed out the more important events for SOC analysts to focus on. This means careful and meaningful use of automation, orchestration, and various security response techniques. This latter point is why you now find SIEM features being integrated into other security tools. \u201cGiven more interdependencies, IT buyers must be aware of how deploying a SIEM solution will impact their existing ecosystem of security products, the costs involved, and the analysts\u2019 experience,\u201d writes Gigaom\u2019s Andrew Green in a 2024 report<\/a>.<\/p>\n

Over the years since SIEM was first recognized as a product category, its purpose and features have expanded in scope. The key components can cover several of the following technologies:<\/p>\n

At its core, a SIEM is designed to parse and analyze various log files, including firewalls, servers, routers and so forth. This means that SIEMs can become the central \u201cnerve center\u201d of a security operations center, driving other monitoring functions to resolve the various daily alerts.<\/p>\n

Added to this data are various threat intelligence feeds that can be used to correlate the log entries and identify a potential compromised device. Gartner analysts state in their latest SIEM report<\/a> from May 2024 that any tool should have \u201cthe ability for end-users to self-develop, modify and maintain threat detection use cases utilizing correlation-, analytic- and signature-based methods.\u201d<\/p>\n

Many SIEM also add the ability to do risk scoring and produce a series of recommended actions to take based on these scores.<\/p>\n

Some provide various orchestration and response functions, as well as ways to automate SOC tasks. \u201cWe see that most SIEM vendors have incorporated SOAR capabilities and are building those out to be more robust,\u201d Mellen tells. This is typical as more security tools add more automation features to make them easier to use and more productive. In some cases, this moves these products into the SOAR category<\/a>. \u201cMany of these standalone SOAR vendors in the market end up pivoting to new features and capabilities in other markets to build a more complete offering,\u201d she says.<\/p>\n

How SIEM works<\/h2>\n

A typical SIEM product follows three broad stages. First, it collects and aggregates data across a variety of network and applications\u2019 infrastructure and security sources. Over the years, SIEM software has widened their focus to collect data from both on-premises and cloud-based systems. Their distinguishing feature is how much data they can ingest and categorize at any given time. \u201cWith more and more digital infrastructure and services becoming mission-critical to every enterprise, SIEM tools must handle ever-higher volumes of data,\u201d writes Gigaom\u2019s Green. As an example of their increasing complexity, Kubernetes logs can come in various forms, including general audit logs, controller process logs, API requests and responses, and scheduling events \u2013 all of which can contain critical security intelligence. This means potential buyers of a SIEM should understand the depth of coverage of a potential product.<\/p>\n

Next, they analyze and report in near-real-time on what is happening across your enterprise on any threats or detected anomalies. This drives the third stage to guide any responses, mitigations and recommend any compliance activities. Green and other analysts point out that as regulations proliferate, SIEM becomes essential and indispensable and in some cases its use is mandated by the legal regulatory compliance<\/a> processes.<\/p>\n

Key benefits and components of SIEM<\/h2>\n

SIEM products have several key benefits, matching their major component technologies.<\/p>\n

First, they enhance typical threat detection capabilities by having a broader view of what is going on across your enterprise. This could be supplied by combining their own threat intelligence <\/a>and integrating with several public or private threat feeds. Since they collect these disparate event sources and combine with analyzing logs, they can provide a more comprehensive picture of the threat from initial compromise to eventual deployment. Typically, this is done with data dashboards and various visualization tools to be able to view and act on the various alerts.<\/p>\n

Many SIEM products began to offer additional user and entity behavior analytics (UEBA) as part of their toolkit. This looks at patterns of operations by both users and endpoints to establish predictable baselines. For example, one baseline could be if a user periodically visits a particular website or downloads a certain file collection at a certain time of day. A change in these patterns could generate an alert for the SIEM to analyze and evaluate as a potential security threat.<\/p>\n

In addition, SIEMs help to improve compliance and reporting functions, providing better audit trails and assessments of these events. Finally, they can centralize security management by integrating with a variety of existing security systems, such as SOAR<\/a>, EDR<\/a>, and other automation tools. Some of the SIEM vendors are moving towards combining the SIEM and SOAR functions into a single offering, such as with Microsoft\u2019s Sentinel and Netwitness\u2019 Orchestrator. One alternative is when two vendors combine forces, such as Recorded Future\u2019s SOAR integrated into Google\u2019s Security Operations SOAR<\/a>. Other vendors such as Fortinet and Palo Alto Networks\u2019 Cortex are keeping the two tool collections as separate products. \u201cSOAR tools can start running independently of SIEM tools to strengthen an organization\u2019s security posture and automate non-security processes as well,\u201d says Gigaom\u2019s Green in his October 2024 report linked above.<\/p>\n

The trend towards better security integration is another big benefit of SIEM, because it can reduce tool sprawl. \u201cWith so many tools in play, maintaining comprehensive visibility across the network becomes challenging. This fragmented visibility can result in blind spots, where security incidents may go unnoticed or unaddressed,\u201d wrote Kim Larsen, the CISO of Keepit<\/a>.<\/p>\n

Challenges and limitations of SIEM<\/h2>\n

One of the biggest challenges of implementing a SIEM is connecting it up to your existing security tool collection. \u201cMany of the clients we talk to want a tool that is built into the workflows they use,\u201d Mellen says. This seems common sense, but still isn\u2019t universal because for a SIEM to be useful means it should integrate into many different places. The challenge is also for the vendors to offer as many integrations as possible to suit particular circumstances.<\/p>\n

Several analysts cited another obstacle, in having to find skilled personnel that can operate a SIEM product and use its many features.<\/p>\n

Another challenge is that there is a huge cost factor in data collection, because the best SIEM should be able to examine historical data patterns to draw their conclusions. Mellen mentions this in her blog about data pipeline management<\/a>, where she says costs are directly the result of better and more indexing of this data. Plus, she tells CSO that \u201cpipeline management is a natural fit into the SIEM, as it is the key to collecting, formatting, and routing of security data. Expect to see more of these integrations into future SIEM offerings.\u201d<\/p>\n

Finally, finding accurate pricing is always a challenge. One bright spot is Logpoint\u2019s transparent pricing page<\/a>, where it will calculate the cost based on the quantity and features selected. Most vendors are more circumspect, or opaque until you move further down the sales process before they quote a price.<\/p>\n

Future of SIEM<\/h2>\n

Even though SIEM products have been around for close to two decades, the category continues to embrace and extend its original purpose, thanks to adding UEBA support and other behavioral analytic methods, along with being able to tailor risks to improve correlation use cases and analysis. Most tools have beefed up their out-of-the-box correlation and alert rules, making them both more productive and easier to onboard and deploy. And as the world evolved to embrace more remote and mobile user access, SIEM products have improved their support of these situations to provide better reporting and more in-depth intelligence geared towards these circumstances.<\/p>\n

SIEM tools have also kept pace with the move towards machine learning and artificial intelligence. Many have added models such as OpenAI\u2019s GPT4 so that they can work with typed natural language commands or be used to generate queries to help search for threat modalities. But this raises concerns for their accuracy and how the models are trained on private data or whether they will store privileged information in public clouds. The latest SIEMs also must keep pace with the latest complex multi-mode threats, just like other modern defensive tools.<\/p>\n

\u201cWhen evaluating solutions, it\u2019s important to decide whether you need just a SIEM or a unified tool for automating your security operations center,\u201d writes Howard Holton, the COO of Gigaom<\/a>. He suggests that analysts need to be able to differentiate SIEM from products that can be used to automate the daily SOC operations, and potential buyers should look at ways SIEM optimizes and integrates various data feeds and how it integrates with existing security tooling.<\/p>\n

Who are the leading SIEM vendors?<\/h2>\n

There is more than two dozen different SIEM vendors. Gartner\u2019s latest report lists Exabeam LogRhythm, IBM QRadar, Splunk, Microsoft Sentinel and Securonix Unified Defense as leaders. Our buyers\u2019 guide<\/a> includes several other vendors including Datadog Cloud, Fortinet FortiSIEM, Logpoint and OpenText ArcSight Enterprise Security Manager among others.<\/p>\n

Here are some questions to help evaluate and compare SIEM solutions:<\/p>\n

Does the product offer more protection and automation features than using either an XDR or SOAR tool?<\/p>\n

How wide and agnostic is support and integration for multiple third-party security vendors? How is this data enriched and combined within the SIEM?<\/p>\n

How is your SIEM\u2019s workflow automation and orchestration enabled to make SOC analysts more productive?<\/p>\n

What LLMs and AI tools are used to enhance its features?<\/p>\n

Can the SIEM run in all three modes: public and private cloud and on-premises?<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Introduction to SIEM Security information and event management software (SIEM) products have been an enduring part of enterprise software ever since the category was created back in 2005 by a couple of Gartner analysts. It is an umbrella term that defines a way to manage the deluge of event log data to help monitor an […]<\/p>\n","protected":false},"author":0,"featured_media":2003,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2002","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2002"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2002"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2002\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2003"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}