SIEM: The 8 most frequently asked questions
Blog by: Cees Mandjes
Cyber security can be quite a daunting topic. There are many different services and tools available that you can opt for to protect your company from the harm that is out there. One of these tools is a SIEM. What is a SIEM actually, how does it work and what options do you have? All very legitimate questions to ask. In this blog we look at some of the most frequently asked questions about SIEM tools to answer them for you.
1. What is a SIEM tool?
SIEM is an abbreviation that stands for Security Information and Event Management. A SIEM tool is a centralized system used to collect, store and analyse logs. Logs are generated in an infrastructure and originate from sources such as applications, hosts and network traffic.
2. What can a SIEM tool do for my company?
A SIEM tool is used to monitor and analyse the activities that are taking place in the infrastructure of your company. By analysing the events, suspicious behaviour can be detected. Analysing the detected suspicious behaviour swiftly and correctly plays an essential role in recognizing a (potential) cyberattack in an early stage. Detecting these early, allows your company to act fast and take the necessary measures. A quick response is vital in the case of a cyberattack because it limits or even prevents further breach and damage to your company’s infrastructure.
To illustrate what a SIEM tool can do, an instance is provided hereafter. Azure Sentinel is an example of a SIEM. It is developed by Microsoft and hosted completely in the cloud. In the screenshot below, an event log analysis is illustrated in which a user performed a successful logon from three different locations (China, Netherlands and Russia) within a 24-hour time frame. This behaviour can be considered “suspicious” and therefore trigger an alert in the SIEM. This will then be analysed by a security expert and followed up if required.
3. How does a SIEM tool work?
The following steps will be performed by the SIEM and cyber security personnel continuously:
- Log collection:
Logs and event data that is generated by applications, hosts, network devices and network traffic is collected by the SIEM.
- Log processing:
The collected data is processed so that it can be stored in a structured matter. This process is also known as parsing.
- Log analysis:
The stored data is used to provide an overview on the dashboard, report and potentially trigger an alert. On this data, real-time analysis will be performed in which detection rules can trigger an alert. This happens when certain conditions are met, that could indicate suspicious behaviour. Default detection rules might be available. However, customized detection rules can be created by a cyber security expert to meet specific security needs.
- Alert analysis:
This step needs to be performed by a cyber security expert. Alerts are cues that might be an indication of compromise. When an alert is triggered, the SIEM can notify cyber security personnel to perform further analysis in order to determine whether a legitimate cyberattack is happening.
4. Which SIEM tools are there and what are the main differences between them?
There are many SIEM solutions available today. They each differ slightly with regards to the type of log sources that are supported. Additionally, SIEMs differ in the monitoring capacity, price and “location” where they are deployed. Location refers to the place in your company’s infrastructure in which a SIEM is deployed. There are two main types:
One of the two main categories are the on-premise SIEMs. This traditional option usually requires machines on location that need to be deployed and maintained. An example of a SIEM that requires on-premise machines is the LogRhythm NextGen SIEM.
- Cloud based:
Nowadays there are also cloud based SIEMs available. This type of SIEM does not require on-premise hardware as it is deployed in the cloud. Azure Sentinel is an example of a cloud based SIEM by Microsoft
5. What are important things to keep in mind when I consider working with a SIEM tool?
The following things needs to be kept in mind when you consider working with a SIEM:
- The SIEM solution needs to be a fit for your company’s infrastructure. It is important to think about whether your company wants to install on-premise machines on which the SIEM is deployed or to use a cloud based SIEM solution. It is also important to think about what kind of log data is being generated and whether it is supported by the SIEM solution you consider.
- Cost and maintenance for SIEM solutions can differ. The price, and how the cost is calculated, can differ for each SIEM solution. For instance, for cloud based SIEM solutions there can be costs based on the amount of data ingested into the cloud. Additionally, some SIEM solutions have licence-based subscriptions, or a combination of both. It is important to note that when a SIEM is deployed in the cloud, the costs for maintenance and hardware are small compared to a SIEM solution that is deployed on-premise.
- The detection rules in the SIEM needs to be configured to meet your company’s security needs. The SIEM’s default detection rules can be used and usually cover a wide range of known attacks. However, each company has its own crown jewels that need protection. This could require custom-made rules to detect specific attacks. Therefore, in addition to this, it is possible to create customized detection rules. It is important that this process is done by a cyber security expert in order to meet specific security needs your company may have.
- Specialised knowledge and experience are required to follow up on the alerts in the SIEM. A frequent misunderstanding is that a SIEM tool can prevent a cyberattack. This is not the case. Instead, a SIEM tool can detect cyber incidents in an early stage so that further escalation can be prevented. When suspicious behaviour is detected, it needs to be analysed swiftly by a cyber security expert in order to determine whether and which further actions are required.
6. Is a SIEM tool free/what does a SIEM tool cost?
There are free SIEM tools available. However, it is important to note that for businesses it is not advisable to use free SIEM tooling. Free SIEM tooling usually has no or very limited customer support. Furthermore, these type of SIEMs have a limited budget, and are therefore less user-friendly and advanced compared to their paid counterparts.
The cost of the SIEM is hard to determine as it depends on the size of the business. Moreover, there are also many other factors that have impact on the price, for instance:
- Hardware (e.g. on-premise machines for traditional SIEMs).
- Software costs (e.g. the licence or the data ingestion costs for the SIEM).
- Professional services for installation and ongoing tuning; (e.g. when new additions need to be connected to the SIEM or other changes need to be made).
- Cost of maintenance (e.g. software patches for on-premise SIEMs).
- Threat intelligence feeds that can be used to detect suspicious behaviour.
- Personnel to manage and monitor the SIEM either internal or external.
- Cost of training for the personnel (only required when done internally).
7. Can I use a SIEM tool by myself (so not as a service) and why, why not?
Unless you are a cyber security expert, it is hard to use SIEM tooling yourself. Using a SIEM tool needs expertise; for deploying, maintaining and configuring the SIEM according to the security needs and risks of your organisation.
Moreover, SIEM tooling does not prevent cyber incidents; but merely detects cyber incidents in an early stage – if it is correctly configured. To be certain that an alert is followed up properly and that further escalation of a cyber incident is avoided, cyber security expertise is required. An expert is needed to understand what is going on and how to respond accordingly. Hence, it is vital that a SIEM is only staffed internally when there are enough security experts available with the required knowledge, if this requirement cannot be met it is advised to outsource it to a security partner.
8. What is SIEM As A Service?
SIEM As A Service comprises outsourcing the deployment, maintenance and configuration of a SIEM in accordance to your company’s security needs. It is advisable that the outsourcing company has the required cyber security expertise. It is therefore important to be critical when looking for a security partner, this will ensure that the SIEM is correctly configured and your company’s security risks are covered.
Besides the configuration of the SIEM, the security partner will keep an eye out on the alerts that are triggered. When such an alert is triggered, further analysis will be performed by a security specialist in order to determine whether it is dealing with a potential cyber incident.
If that is the case, your company will be informed by the security partner. They will provide you with advice on how to prevent further escalation. It is important to know that SIEM As A Service does not come in one form. Several variations are available in which different levels of assistance are possible. This way, it is possible to determine what actions are taken by your company itself, and what is done by the outsourced security party.