SIEM: What is it?
To allow businesses stay one step ahead of cyber attacks and general incidents as well as being informed through the means of alerts, Security Information Event Monitoring (SIEM) systems are increasing year on year. SIEM are products that allow businesses to provide real-time monitoring and analysis of monitors devices within the business. Devices such as desktops, laptops, switches, routers, firewalls can all be configured to send their data to the SIEM.
Audit log data which is sent to the SIEM can be made up of, but not limited to: IP addresses, event types, memory, processes, ports etc. which are then processed and tagged to identify any issues.
Using SIEM in your day-to-day running can help assist operation teams in identifying problems as soon as possible, allowing them to intervene quickly and either fix or cut-off any issues before they impact business.
How does it work?
SIEM products make use of audit and event logs (see here for more information about audit logging), the more information you send to the SIEM the more comprehensive your analysis can be.
The SIEM works by ingesting the logs on a continuous basis from multiple sources, the SIEM then looks at the type of logs and collates the information depending upon specific rules, for example, successful and failed logins, service failures and more. If any of these log messages fail a threshold check then an alert will be executed and notifies the appropriate parties.
An example of this is making sure someone isn’t trying to brute force your server or web application, if you receive hundreds of failed logins over a 5 or 10 minute period, you know this is (or highly like) a brute force attack, this then flags a rule within SIEM and executes a notification rule.
Getting the most out of it
The SIEM is only as good as the information and rules that you configure, if you don’t send all your information from all your devices and applications, you aren’t going to get a true picture of your infrastructure.
The same goes with the notification rules, if you don’t baseline your information and set appropriate rules, you will either get notified to many times, which leads to people ignoring the messages, or you will not be notified at all.
You should also look to keep the log data for as long as possible can help businesses, in case there is ever a need for audit logs after several weeks or months. Its not uncommon for businesses to keep this data for years.
Probably the most important point, is that is gives the business an early warning of any issues that may be arising, whether it’s an application or device misbehaving or someone knocking on the infrastructure, trying to find a way in.
There are numerous SIEM products out on the market, some of the more popular ones are: