Security Information and Event Management (SIEM) is a monitoring solution for potential threat detection, integrity monitoring, incident response and compliance. Security Information and Event Management (SIEM) software combines security event management (SEM) and security information management (SIM) to deliver real-time security alerts and analysis of network hardware and applications. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005. SIEM can be offered as an application or managed service
Security Information and Event Management (SIEM) application is installed on a server that sits right at the heart of an organization network. End point agents provides the necessary monitoring and response capabilities, while Security Information and Event Management (SIEM) server component provides the security intelligence and data analysis. Primary task of the server component is to collect logs and events data that are being generated by applications, security devices and host systems. It also gathers data from firewalls logs, end point security application like anti-virus. SIEM can be set up to collect data from one or more locations of an organization.
Once the data is aggregated SIEM indexes and analyze security data, helping organizations detect intrusions, threats and behavioral anomalies. With huge advancement in Artificial Intelligence (AI) and Machine Learning (ML), today SIEM offers advanced user and entity behavior analytics (UEBA).
SIEM collects, aggregates, indexes and analyzes security data from all the applications, security devices and host system. Easy to read custom dashboards and event management view provides user with investigative efficiency and reduces time spent on false-positives.
The end-point agent scans the monitored systems looking for malware, rootkits and suspicious anomalies. It can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
The agent reads operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage. Pre-defined rules informs analyst of application or system errors, misconfigurations, attempted and/or successful malicious activities, policy violations and a variety of other security and operational issues.
SIEM monitors the file system, identifies changes in content, permissions, ownership, and attributes of files. It can natively identify users and applications used to create or modify files. Many regulatory compliance standards, such as PCI-DSS, GDPR, HIPPA, SOX requires file integrity monitoring.
The end-point agent passes inventory data the server component in real-time. The server component correlates the information continuously with updated CVE (Common Vulnerabilities and Exposure) databases, to identify well-known vulnerable software. Vulnerability assessment helps to discover the weak spots in critical assets and take corrective action before attackers exploit it to disrupt business operation or steal confidential data.
SIEM monitors system and application configuration settings. It makes sure that the configuration compliant to organization security policies, standards and/or hardening guides. End-point agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.
SIEM can be configure to use out-of-the-box active responses to perform various countermeasures to address active threats, such as blocking access to a system from the threat source when certain criteria are met. Additional customized correlation rules can be added by analyst to immediately take appropriate actions to mitigate risk before it materializes into more significant security issues.
SIEM generally provide some of the necessary security controls to become compliant with industry standards and regulations. PCI-DSS, GDPR, HIPPA, SOX, and other compliance standards have set of compliance points that are easily addressed by using SIEM software. It has huge potential of reducing the burden of security management and detecting potential violations early. These features, combined with its scalability and multi-platform support help organizations meet technical compliance requirements.
Many organizations have moved to cloud services like Amazon AWS, Azure or Google Cloud. Cloud infrastructure is easily secured at an API level using integration modules that are able to pull security data similar to end-point agents.
