A safety, incident and occasion administration system collects, centralizes and analyzes knowledge from throughout the IT surroundings to uncover cybersecurity and operational issues.
As with so many previously distinct and well-defined cybersecurity methods, “SIEM” is now as usually a set of options as it’s a separate services or products. Within the present period of class drift and device convergence, an prolonged detection and response (XDR) platform may embody SIEM options, a SIEM providing may embody person and entity conduct analytics (UEBA) and so forth. Â
Whether or not in a standalone product or as a part of a broader providing, enterprises proceed to depend on SIEM performance. High SIEM use instances span cybersecurity and IT ops and embody log administration, assault detection, occasion detection, occasion forensics and cybersecurity posture administration.
1. Log administration
That is job No. 1 for a SIEM. Along with serving because the vacation spot for logs from core safety methods equivalent to firewalls and intrusion detection and safety methods, SIEMs additionally combination and normalize streams from extra far-flung knowledge sources, equivalent to endpoint detection and response and XDR methods. A centralized repository for safety occasion log knowledge is helpful for monitoring, evaluation and compliance functions.
SIEMs collect operational logging knowledge — e.g. efficiency knowledge on a router’s interfaces — in addition to cybersecurity logs, so they’re helpful to the NOC and IT ops employees in addition to to the SOC.
2. Assault detection
Whereas SIEMs can do rather a lot to detect assaults on their very own, they profit from integration with UEBA methods. UEBAs are particularly constructed to use superior behavioral analytics to the sorts of real-time exercise knowledge {that a} SIEM gives.
Notice {that a} SIEM usually doesn’t coordinate the response to an assault. That accountability historically falls to a safety orchestration, automation and response system, which may additionally combine with the SIEM.
3. Occasion detection
Not all occasions are assaults. Gear failures and efficiency issues can result in occasions that present up in logs, and a SIEM can alert IT ops employees and the community operations (NOC) group when such points happen. For instance, when a router stops reporting regular site visitors from a department workplace, the SIEM may alert the NOC to the issue.
4. Forensics and root trigger evaluation
SIEMs are repositories of big volumes of information related to assaults — whether or not profitable or averted — and supply search and filter options to assist investigators tease out related data and patterns. Equally, IT ops groups looking for root causes of issues in WANs, campus networks or knowledge facilities can profit from these capabilities.
5. Cybersecurity posture administration — i.e., breach prevention
SIEM presents a view not simply into efficiency and alert knowledge but additionally system configurations, making it helpful in monitoring for coverage deviations and supporting cybersecurity posture administration. SIEMs can see and report when operating configurations differ from documented ones, whether or not due to an insider assault or regular configuration drift from ad-hoc adjustments made in the midst of downside fixing.
 John Burke is CTO and a analysis analyst at Nemertes Analysis. Burke joined Nemertes in 2005 with practically 20 years of expertise expertise. He has labored in any respect ranges of IT, together with as an end-user assist specialist, programmer, system administrator, database specialist, community administrator, community architect and methods architect.
