Security information and event management tools are a staple in many organizations. SIEM software provides information...
and enables IT teams to take action on security events in real time, which frees up the data center staff to concentrate on other projects.
With the explosion of devices across organizations -- inside the data center and out -- it has become almost impossible for IT administrators to manage the security issues that become visible across so many possible attack surfaces. SIEM helps because it aggregates, normalizes, analyzes and reports on data, and it performs data stream analysis. These functions enable SIEM software to provide real-time analysis and actions to enable proactive defense, policy-driven event management to enable reactive defense, and post-event forensic analysis.
In the area of aggregation, SIEM software works by accessing data in existing data stores, such as device log files. But not all devices maintain log files in a standardized manner. There are simple network management protocol standards and management information base file standards, but many vendors prefer to format data through proprietary standards.
SIEM normalizes data so admins can create and analyze stores in a straightforward manner. SIEM software can also capture real-time data streams using feeds from deep packet inspection tools or from its own analysis of incoming streams.
This aggregation is important because it enables pattern matching -- one of the main ways SIEM operates -- to be carried out effectively. Through pattern matching, SIEM tools can provide insight into what is happening across a total IT platform and offer both historical and near-real-time reporting alongside automated actions based on findings.
How SIEM software detects events
Remember how antivirus tools used to work with a large file of signatures? Incoming files were checked against these signatures and if a pattern was matched, the file was quarantined for further processing or deleted if it was identified as definite malware. This was reactive; fine when dealing with email and other non-real-time data, but pretty useless when looking at high-throughput network traffic.
SIEM software generally has built-in simple signature recognition, but it also has to do what antivirus does: deal with polymorphic and zero-day attacks, as well as distributed denial-of-service (DDoS) and brute-force attacks. As such, the patterns must also include heuristic algorithms that can work based on probabilities. They must also work alongside built-in and user-driven policies to decide what happens to malicious files.
Consider a DDoS attack: Many different network addresses across different IP blocks attack the network and attempt to flood the system to an extent where network response is compromised. Sorting out what is real traffic and what is DDoS traffic is not simple.
SIEM tools have built-in capabilities to identify crude DDoS attacks, and tools that also highlight abnormal activities in the organization's own network. Therefore, SIEM tools build a baseline for the way a network normally runs and point out where activity drifts away from that baseline.
Based on the degree of shift, the tools can then decide what to do -- throttle activity, offload it to a different environment or block the traffic. Each instance categorized as normal traffic continues to operate. The SIEM tool can flag any event as an exception for an administrator to examine.
Enable forensic analysis in the data center
No tool is foolproof, and to believe that one is leaves an organization unprepared for a security breach. Assume compromise is possible and inevitable.
By having such an aggregated and normalized data store, SIEM software enables a full forensic investigation. This includes finding what activities happened before the breach, the source of those activities and what the breach affected. With Privacy Shield and the General Data Protection Regulation, these capabilities are a necessity for compliance.
SIEM pulls together what used to be point solutions and provides comprehensive tools for security management. Through the use of automation, SIEM offers a means to deal with many low-level security issues without manual intervention.