Security information and event management (SIEM) solutions provide organizations centralized visibility into their IT and even sometimes OT environments. At a high level, a SIEM turns data into actionable insights by:

• Ingesting a vast amount of event data from across the enterprise, including on-premise and cloud-based environments;
• Applying real-time analytics to aggregate related security events into prioritized alerts; and
• Escalating alerts to a security orchestration, automation, and response (SOAR) solution to trigger incident response playbooks.

SIEMs help security operations center (SOC) analysts achieve four critical objectives: (1) gain visibility into their environments, (2) detect threats, (3) investigate abnormal activity and (4) escalate alerts for a swift response to SOAR tools.

An undetected lingering threat is a CISO’s worst nightmare. The SIEM provides teams visibility to detect threats in their organization’s environments. Without the ability for threat detection, a SOC team has no hope of responding to incidents.

If you asked a handful of security professionals for their definition of a SIEM, you’d get a handful of unique and interesting takes on the market definition. Here, I’ll offer one more to consider.

What value does a SIEM drive for businesses?

When it comes to minimizing the impact of a security incident, time is of the essence. It can take an average of 207 days to identify and 73 days to contain a breach, according to the Cost of a Data Breach Report 2020. The research shows containing a breach in less than 200 days saved $1 million on average compared to those who took more than 200 days.

All of that to say, the faster a threat is identified, the better, and that is where a SIEM comes into play. A SIEM can reduce the time to identify, investigate and respond to security-related incidents, and mitigate the business impact of a data breach. A SIEM helps organizations maximize their investment in people and amplify their team’s reach. A SIEM can also drive significant reduction in risk through alignment with regulatory compliance mandates such as GDPR, PCI, SOX and HIPAA.

How has SIEM technology evolved over time?

The evolution of the SIEM is actually quite interesting. Let’s take a look at the highlights before jumping to the present and future of SIEM. At the very beginning, security teams were just reading log data and then simply collecting logs. When that type of log management was no longer sufficient, security information management (SIM), a first-generation technology that allowed for basic searching, was born. Security event management (SEM) was the second iteration of the product, which aggregated and correlated events from multiple security systems.

Finally in 2005, Gartner analysts Amrit T. Williams and Mark Nicolett coined the term that we know today, “SIEM,” in their report on improving vulnerability management. This third evolution was catalyzed by the need for organizations comply with regulations and detect more advanced threats. Williams and Nicolett defined SIEM as technology that “provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources.”

Since the inception of SIEM in 2005, the adoption of cloud, an ever-evolving threat landscape and other factors have continued to trigger innovation and evolution in the SIEM market. A solution that once was meant to defend against solo hackers and basic malware via log collection has evolved to detect advanced persistent threats from nation-state attacks and bad actors.

The evolution of the SIEM market continues to make my job very interesting! A few of the most significant innovations have included integrations with threat intelligence feeds, user behavior analytics (my personal favorite) and the addition of AI and machine learning. As SIEMs evolved so did their criticality to efficient incident response plans. Through seamless integrations, SIEMs now provide SOAR platforms with the data to both launch investigations and assist with them. Later, I’ll dive a little bit deeper into how this works today.

How does a SIEM work today?

Here’s a closer look at the security information and event management functionality that helps SOCs achieve their four objectives: visibility, detection, investigation and escalation to response platforms.

Visibility

SIEMs can correlate data from across an organization’s entire attack surface, from user, endpoint and network data to firewall logs to antivirus events. Whether on-premise or in the cloud, they provide a view into this data in a single pane of glass. For context: on average, organizations deploy more than 45 security solutions and use 19 different tools when responding to a cybersecurity incident. The consolidated view provided by a SIEM can help reduce the tool complexity that SOC teams are up against.

As more organizations transition their infrastructure to the cloud and leverage more and more cloud-native services, attackers are shifting their focus and investment there as well. In my experience, organizations that have hybrid-multi-cloud environments (and many do) have a much stronger security posture when they are able to cross-correlate data in their SIEM from across all platforms.

SIEMs can play a key role in detecting network anomalies. As Jon Oltsik of ESG explains in SIEM and NDR: Better Together, the combination of SIEM and NDR helps security teams improve threat detection and response by gathering suspicious network and system level data into comprehensive security alerts.

Threat detection

Once teams have their data in one place, it becomes easier for them to detect malicious activity and abnormal patterns.

SIEMs can be used to detect unknown threats and high profile exploits such as those targeting SolarWinds Orion or Microsoft Exchange. Attackers have become more sophisticated in their techniques. A SIEM can arm SOC teams with the ability to detect slight changes in network, user or system behavior. Such changes may be indicative of malicious insiders, compromised credentials or advanced persistent threats (APTs).

Investigation

Once a threat is detected, SIEMs can leverage automated investigations and data enrichment for further investigation. These functions help reduce the manual tasks performed by analysts, who can then spend their time on valuable activities including threat hunting and incident response. In one example, an organization cut investigation from three hours to three minutes with the help of AI to identify false positives. Especially with the skills shortage predicted to reach 3.5 million open cybersecurity positions in 2021, efficient threat investigation is critical.

Response

When a SIEM detects a potential threat, it delivers that event data in real-time to the SOC team for further investigation. Alerts, suspicious events or incidents discovered by the SIEM can trigger investigations manually or via automation. Often times response teams leverage data from SIEMs to investigate incidents as part of processes defined within a SOAR tool’s playbooks.

Teams can shift their security posture from reactive to proactive. Standardizing detection and response execution with playbooks and guided workflows helps teams build a repeatable incident response program.

What kinds of cybersecurity threats can a SIEM detect?

The possibilities are endless. Organizations can put security monitoring in place for threats that span the entirety of the MITRE ATT&CK Chain. There are many, many more, but today I’ll drill down on ransomware, nation state APTs, insider threats and phishing use cases.

Ransomware

Ransomware surged to be the top threat type in 2020, comprising 23% of the incidents studied in the latest X-Force Threat Intelligence Index. Bad actors like Sodinokibi are profiting in the millions by combining ransomware with extortion. High profile targets for ransomware include industries with low tolerance for downtime, like the manufacturing and energy sectors.

A SIEM leverages analytics to identify potential ransomware incidents. This can include connection to malicious internet addresses, monitoring for anomalies in file access and unusual lateral communications.

APTs

APTs are attacks typically perpetrated by highly capable, well-equipped threat actors, often with specific targeted actions. These attackers tend to operate “low and slow,” causing the threats to be less obvious and harder to detect. SIEMs can leverage anomaly detection to tools to detect these APTs.

Further, SIEMs can leverage integrations with real-time threat intelligence feeds to ensure that SOC teams focus on critical events and have knowledge of the most up to date indicators of compromise (IoCs) before an advanced attack spreads.

Insider threats

Insider threats occur when users use legitimate access to company assets to cause harm to the business, either maliciously or unintentionally.

Understanding your users, their activity and their patterns is key. Any abnormalities in these areas can indicate a security incident. Going back to my comments on visibility, SIEMs can aggregate data from each user from many sources and use that data to create a baseline profile of a particular user. A user behaving differently from their previous behavior or from their peer group, can cause a SIEM to assign a risk to this user and flag the suspicious activity for further investigation. Oftentimes machine learning is leveraged for user analytics.

Phishing

In 2020, phishing was the second most prevalent initial access vector identified by IBM Security X-Force. While many organizations encourage their users to stay vigilant, a typical attack might deliver correspondence to a victim that looks authentic, enticing them to click on a malicious attachment or link. A SIEM can help teams detect important indicators of phishing such as suspicious email subject lines, potential data leakages, abnormal behavior from inbound and outbound emails and communication with known hostile hosts. In addition, SIEMs can leverage integrations with Endpoint Security tools to detect suspicious behavior on the endpoint which can be a symptom of a phishing attack.

How to choose a SIEM solution?

What factors can buyers consider when evaluating security information and event management solutions? Beyond the core functions of a SIEM I recommend keeping in mind how the solution will scale with your business, its ease of integration and how quick the time-to-value measures up.

Buyers can ask themselves:

• Does the solution provide out-of-the-box security content and use cases? SIEMs that offer out-of-the-box use cases and detections in addition to the ability to customize allow organizations to immediately realize value from their investment. Finding a solution that doesn’t require knowledge of multiple query languages can help with staffing the implementation.
• Does the solution support compliance regulations worldwide? Support for regulations like GDPR, PCI, SOX and HIPAA can help organizations meet breach disclosure requirements within the timeframes required by law. Some SIEMs offer pre-built reports and rule templates to help organizations address industry compliance requirements.
• Does the solution offer flexible deployment options? Is the solution delivered on cloud? On-Prem? Both? The Forrester Wave for Security Analytics Platforms, Q4 2020 states, “As enterprises have moved their own workloads to the cloud to take advantage of its scale, flexibility, and availability, security vendors have finally started to follow suit with cloud-based delivery of their security analytics solutions” and I agree! However, every organization has unique needs and it’s important to choose an option than can meet them.
• Does the solution align to industry frameworks? If your team uses industry frameworks like MITRE ATT&CK, make sure they are part of the tool.

What’s next for SIEM tools?

The core intelligence provided to users by their SIEMs is here to stay. SIEMs will have the interesting challenges of needing to be simple to use while being flexible enough to adapt to the latest threats and evolving infrastructure needs. As infrastructure and tooling changes within organizations, integrations and content will also need to evolve. In order to stay relevant, SIEM vendors will have to easily integrate with other technologies, even their competitors.

While SIEMs have been traditionally focused on detection, moving forward the traditional SIEM workflow will need to be expanded to more tightly align incident detection with response.

While SIEMs are incredibly valuable to SOC teams, they also rely on other tools such as their EDR and NDR tools. In a continued effort to minimize complexity the industry is now shifting towards uniting these tools, like SIEM, EDR and NDR, into extended detection and response (XDR).

I think about XDR as extending visibility across an organization’s networks, endpoints and security events. This is very similar to the way I think about SIEM. For that reason, I think we’ll likely see SIEM tools and XDR tools working more and closely together within some organizations and even combined by some vendors and consumed that way by organizations.

SIEM has a long and rich history of providing value and driving busines outcomes and XDR is the new and emerging technology. The two together will have an exciting impact for our industry on the way we combat threats.

Learn more about IBM Security QRadar SIEM.