An Introduction to SIEM – Security Information & Event Management

Logs are generated by a lot of devices in an organization. In one branch alone, there are so many devices (Like Router, Firewall, IDS, etc) that can generate a lot of logs which needs to be tracked constantly, for unauthorized access, indications of network threats, etc. Occasionally, it may even be required to find out what a particular user did on a particular date and time (forensics) by sorting through all those logs. Now imagine a hundred branches across multiple locations! That is why, enterprises ought to know about SIEM – Security Information and Event Management.

SIEM - Security Information and Event ManagementWhat is SIEM?

SIEM stands for Security Information and Event Management.

An SIEM Solution enables security/network administrators to collect log data (of all events) from a wide variety of network devices across the whole network to (mainly) identify and report on security threats and suspicious behavior. SIEM solutions also facilitate Forensic Investigation (Who did what where and when, and perhaps even why!) and comprehensively manage the collection, storage and archival of all log data generated by multiple network devices over a long period of time.

What’s the use of just collecting and storing logs? Multiple logs from multiple devices need to be brought to a common, easy to understand format that can be represented by graphs, charts, ordered listing etc thereby saving a lot of time and efforts that might be required to sort through and understand thousands (or even more) of logs and events! And SIEM solutions provide GUI (Graphical User Interface) Dashboards with pre-built report formats to do exactly that. They even include reports that are tailored to certain compliance regulations like HIPAA, HITECH, etc.

By now, it should be clear that SIEM solutions do not mitigate network threats by themselves, but help the administrators to identify such network threats timely by using techniques like correlation of data from multiple devices, known anomaly patterns, etc from hundreds and thousands of devices in real time so that appropriate actions could be taken to prevent them from inflicting further damage.

Some Useful Events that can be tracked by SIEM (Security Information and Event Management) Solutions:

  • The administrator / User activity can be tracked (with date and time) and any violations to predefined policies could be reported to the Super-administrator.
  • SIEM solutions can display all file access events, especially the ones in confidential folders (containing credit card information, etc).
  • All access attempts denied due to access control restrictions can be extracted by individual users, time period, etc.
  • The log files themselves are monitored and changes to them are promptly reported.
  • They can monitor all the logs generated by network security equipments like Firewalls, IDS/IPS, UTM, etc and also the logs of the Network gateway devices like Routers and correlate all of them for the administrator to get a bigger picture of the network activity and to figure out anomalous behavior.
  • They can monitor wired network devices (like network switches) wireless network devices (like wireless controllers) etc, so that any anonymous access to the network can be identified and ad-hoc changes in policies/ access rights etc, can be notified.
  • SIEM solutions can ensure that anti-virus / Operating Systems Software etc, are current versions, have all latest patches applied and capable of generating logs for audit purpose.
  • Even AAA Systems (Authentication, Authorization and Accounting Systems like RADIUS/ Active Directory etc), Web based Applications, Databases (Like SQL, Oracle, etc) can be tracked and all activities done in these systems get stored in the form of logs.
  • SIEM solutions can monitor suspicious user activity (multiple failed logons and unauthorized system access).
  • SIEM solutions can detect critical system errors/ monitor continuously the health of critical networking equipment like servers/ routers in order to report system outages, when they occur.
  • Configuration changes for a set of networking equipments over a particular period of time (for example) can be accurately reported in a common format along with visual aids (like graphs, etc).
  • SIEM can be effectively used for server access monitoring to find out if there have been any illegal access/ hacking attempts. Even for internal users, SIEM reports can help identify who accessed what and when in a particular server/ application.
  • SIEM solutions can analyze which systems in the internal network have been affected by malware and are spreading it to other systems in the network by using correlation techniques that look for event patterns in multiple systems.

Advantages of SIEM – Security Information and Event Management Solutions:

  • SIEM solutions help identify network threats in real time by capture and analysis of logs from thousands of devices in multiple branches.
  • SIEM solutions enable quick forensics as they can store and retrieve all log data from any device for any period.
  • SIEM solutions provide a GUI based dashboard with a uniform format of reporting of logs and events from multiple devices.
  • SIEM solutions can correlate events from logs generated by multiple network devices and report only if there were real network breaches of high priority, hence reducing the number false positives and saving a lot of time for the administrators.
  • SIEM solutions enable administrators to study the root causes of errors and security breaches by looking in to the log information and reports. Users can identify what exactly caused the errors (like configuration changes, etc) and which systems are vulnerable.
  • SIEM solutions generally come with ready made reports and report formats for various security compliance regulations like HIPAA, ISO27001, etc so that the security administrators can focus on more important network security enhancement activities.
  • SIEM solutions can give reports like top ‘n’ users of specific applications and bandwidth consumption levels for each device on the network, etc.

SIEM solutions generally consist of Central Appliance/ Software at the head office (where all the logs from various devices are finally sent to for analysis) with additional software agents (near to or within the network devices that need to be monitored) or hardware appliances to collect all the logs from network devices in various branches/ locations. SIEM is sometimes given as a security service by organizations where all the logs are collected and monitored remotely (in the service provider premises) and ready made reports are made available to the customers according to their requirements.

excITingIP.com

In case you may have any additional points to add or any questions, you can use the comment form below or contact us using the contact form. You can stay up to date on the various computer network technologies by subscribing with your email address in the box titled “Get email updates when new articles are published”.