Security Information & Event Management (SIEM)

How Do SIEM Tools Work?

SIEM tools work by leveraging three core capabilities to provide the security monitoring and visibility needed in today's hybrid and multi-cloud environments:

1. Data collection: Collect and analyze data from across your entire network.
2. Threat Detection: Identify suspicious and/or malicious behavior.
3. Threat Response: Provide alerts, visibility, and actionable data to response teams so they can address an issue before it becomes serious.

If compliance reporting is an important driver, a SIEM should also be able to assist with dashboards and ensure security policy is being enforced. Whatever the specific regulation, you not only need to protect customer and sensitive data, but also proactively show your approach to key stakeholders and auditors by tracking and monitoring all access to network resources and critical systems.

What is a SIEM tool used for? 

A SIEM tool is used for providing better visibility into cloud services and infrastructure as well as centralizing log data, threat detection, and response. With greater visibility - as well as modern extended detection and response (XDR) capabilities - most SIEM tools should enable: 

• Search and visualization of security data
• Detection of compromised users and lateral movement
• Identification of evolving attacker behavior 
• Monitoring of a remote workforce
• 20x faster investigations and incident response
• Automatic containment of compromised users and assets
• Solving multiple compliance regulations 
• Streamlined case management

There are many use cases for a SIEM tool, however it will take assessment and research to identify the solution that fits the specific needs of your security operations center (SOC).

The Benefits of a SIEM

When deployed properly, a SIEM offers organizations the visibility they need to measurably reduce risk across the entire network to detect both known and unknown threats. SIEM solutions have been around for the better part of two decades, and today’s modern SIEMs don’t quite resemble their original, log management counterparts.

As the security landscape has evolved, SIEMs have evolved as well (at least, some of them have). The most effective, automated solutions today include:

• Fewer false positives
• Accurate malware detection
• Comprehensive analysis of all infrastructure
• Ability to learn new threats
• Endpoint detection

What to Look for in a SIEM Solution

Time and accuracy matter here. With a SIEM tool, your company may see billions of events each day, and that's a lot of information to sift through. You need a SIEM solution that can verify what needs follow-up and, just as important, what's harmless behavior. The more adaptive your solutions can be, the better the chances you won't have a public relations nightmare or financial crisis on your hands. 

Here's a short checklist of what to look for in a SIEM solution:

• User Behavior analytics (UBA)
• Attacker Behavior Analytics (ABA)
• Deception technology (i.e. intruder traps)
• File Integrity Monitoring (FIM)
• Incident response
• Endpoint detection
• Performance metrics
• Visualization and reporting

Setting up a SIEM tool

Setting up SIEM tools can be a complex task for even the most advanced security practitioner. But, when done correctly, it can eliminate blind spots across your network. The first step consists of understanding your existing network and security stack and figuring out how to collect log information from those points.

You’ll also need to consider planning for hardware if a software as a service (SaaS) storage option isn’t offered by the vendor. Finally, an ongoing step is to write rules to detect events of interest and create reports to highlight key metrics on overall network risk. 

Managing logs in a SIEM

Managing logs effectively with your SIEM tool is essential for network visibility, compliance, and reliable incident detection and response. You as a security practitioner need the ability to ask questions of your data (usually using structured query language or SQL) to identify Indicators of Compromise (IoCs), find the users and systems affected, and share the final scope with remediation teams.

Managing logs usually involves indexing data and correlating it with other data sets. The end goal is to give you an easy way to search for threats from one unified dashboard.

Alerts and reporting with your SIEM tool

After general setup, configuring your alerts and reports is key to being efficient with your SIEM. As a security practitioner, you’ll need to constantly refine your SIEM to provide you with the important security events happening on your network.

A common problem with SIEM tools is that they produce too many un-prioritized alerts, more than the security team can take the time to investigate. That’s why it’s important to continuously tune new and existing rules to effectively find only the relevant threat actions.

It's a lot to remember, and a lot to take in. But feeling overwhelmed can't stop you from taking action. Attacks come in all shapes and sizes, and understanding their full scope is not just something that's “nice to have.” When you use incident and detection response effectively, you start your company on a path to streamlining more tasks through a better understanding of what policies are working and which ones might need some work.

Keep Reading About SIEM

Learn About Rapid7's SIEM & XDR Product

SIEM News from the Rapid7 Blog

[The Lost Bots] Podcast Season 2, Episode 1: SIEM Deployment in 10 Minutes