Security Information and Event Management (SIEM)

Icon Industry, © NESEC GmbH

A Security Information and Event Management (SIEM) is a system for collecting and analyzing security information and events. A SIEM collects, aggregates and correlates log data from various systems and applications. The aim of operating a SIEM is to monitor the infrastructure in real time with a rapid response to security-relevant events and logging for compliance and audit purposes.

A SIEM analyzes log files and detects incidents

In order for a SIEM to detect relevant events, it needs data from as many systems and applications of the monitored infrastructure as possible. In addition to firewalls (especially traffic logs) and Windows systems (e.g. logon and logoff attempts), this also includes web servers, applications, virus scanners, intrusion detection/prevention systems and possibly even Netflow data from routers and switches.

The SIEM correlates this data and can thus detect anomalies that indicate a possible attack that may even have already been successful. The SIEM often uses so-called Indicators of Compromise (IoC) for this, which are either already preconfigured, created during the configuration of the SIEM or can be obtained via threat intelligence.

Recognizable events are, for example

  • A high number of incorrect logon attempts by a user account
  • A simultaneous login of a non-administrative user on many systems at the same time or in quick succession
  • A simultaneous login locally at the console and remotely via VPN
  • Access by clients to known malicious code domains or IP addresses of C&C servers
  • Many files that are accessed very quickly one after the other and/or that are changed very quickly one after the other
  • Large amounts of data that are suddenly transferred externally

In such a case, the SIEM can report the incident and, if necessary in combination with a Security Orchestration, Automation and Response (SOAR), automatically initiate countermeasures.

The data volumes of a SIEM are not insignificant. Even in medium-sized infrastructures, 10-20 GBytes of log files are quickly generated per day, which need to be processed and evaluated. If log files are to be stored over a longer period, e.g. 90 days, sufficiently large (and fast) storage must be provided. In very large infrastructures, several terabytes of log data can be generated per day, especially if telemetry and Netflow data is also to be processed.

Different forms of operation

When setting up a SIEM, one of the first questions is where the SIEM is operated and who the operator is.

On Premise: The most common option is still to operate the SIEM in your own infrastructure. The most important advantage is that all data, especially sensitive data, remains on your own systems. This is an important argument, especially with regard to data protection. In addition, there is no need to transfer large amounts of data over the Internet. The biggest disadvantage is that you need to provide suitable human resources to operate the SIEM. It is not enough to administer the SIEM in general. In order to exploit all the possibilities, the SIEM administrator must also be familiar with IoCs, incident response, SOAR and threat intelligence.

Cloud: SIEM systems are therefore increasingly being moved to the cloud. However, reduced by compression and pre-filtering, several GBytes still have to be uploaded to the cloud every day. Another disadvantage is that sensitive log files, which allow extensive analysis of your company and your employees, may also be transmitted to third parties. The main advantage, however, is that the development of IoCs and, above all, the necessary threat intelligence is carried out by the cloud provider, who can employ specialized staff for this purpose.

Security Operation Center: Although a cloud-based SIEM can detect security-relevant events and inform your company, someone still has to initiate countermeasures. Various service providers therefore offer the operation of a Security Operation Center (SOC) to which your systems are connected. The service provider's employees operate and monitor the SIEM. If an event is triggered, the SOC can react, evaluate the event, sort out unimportant events and initiate countermeasures for critical events.

Our Service

We identitfy all requirements regarding your SIEM. We advise you on the selection of a suitable on-premise solution and support you during implementation. Alternatively, we can support you in selecting a suitable cloud or SOC provider.

We develop the necessary use cases and detection rules for security-relevant events for you and implement these rules in your SIEM. We check the detection of security-relevant events using our test suite, which simulates typical security incidents and attacks, and evaluate the detection rate of the SIEM. And, of course, we help you to optimize the detection rules.

Last, we can confirm that your SIEM is an effective attack detection system according to § 8a section 1a BSIG on request.