What Is Security Information and Event Management (SIEM)? – Purpose and Benefits

ParkView Managed Services

John Parlee August 01, 2023

Security Information and Event Management (SIEM) is a suite of tools that security teams use to identify threats and anomalous activities. They are versatile tools that can be used for other purposes, however, the primary users tend to be the security teams who are doing day-to-day monitoring, threat hunting, and analysis. SIEM has been around for a long time, and these tools have evolved significantly to meet the needs of modern security teams.

What Is SIEM?

SIEM stands for Security Information and Event Management, which is a set of tools and services that look at event data and information, and help to correlate, prioritize, and present it to an analyst. SIEM gives security operations teams the capability to detect, analyze, and respond to security threats. The tool collects data from various sources, then aggregates and structures this data – which helps security teams to analyze it. This data provides an understanding of what is happening across a huge data set that includes network, application, server, endpoint, and other sources and then creates corresponding alerts.

SIEM makes it manageable to process large amounts of data that an analyst wouldn’t otherwise be able to do manually. The analyst can look at point-in-time events and then pivot into larger or smaller datasets as needed.

It’s true that organizations require a security team to respond to these threats, but SIEM helps identify and address the threats before they impact an organization.

Which SIEM to Use?

When selecting a SIEM vendor, here are a few things to consider:

1. Preference/ Exposure

Many security teams find a solution they like, and they invest time and money into learning and operationalizing the technology. For example, some vendors have their own conferences, query language, set of architectures, and learning/career paths. A security specialist may start as an analyst, then, as they move into a more senior role, they may develop the experience and knowledge needed to manage the SIEM architecture, components, and capabilities.

Learning a specific SIEM query language is a lot like learning a programming or database language. Many SIEM vendors have their own version of this language, and the searches, alerts, and queries that are developed become an integrated part of the SIEM. It is an investment to learn a particular language. While some skills are transferable, keep in mind that when a team becomes familiar with one SIEM query language, it can make transitioning to another a challenge.

2. Capability

SIEM has evolved from a consumption platform that can provide alerting and analytics to a powerful platform that can do orchestration, automation, and response. It gives analysts capabilities that can automate some of the most time-consuming jobs, such as providing immediate data enrichment and context needed for decision-making.

In a setting where time is critical, SIEM can provide immediate response capabilities that can stop a threat and hinder attacker activities. For example, SIEM integrations can automatically take action on a firewall to block an IP address exhibiting malicious activity. Using these capabilities, SIEM can be much faster than having a human-in-the-loop. However, this automation presents a risk that legitimate, or incorrectly classified activity could also be blocked. That being said, capabilities should be reviewed by the security team, as they consider the value that SIEM will bring as it is operationalized and optimized over time.

The capability to integrate with other tools is also important to support automation. Security teams should consider what tools they have and what use cases they are interested in developing.

3. Cost

Cost is a significant aspect to consider when investing in a SIEM suite. Once the initial investment is made, an organization is on a significant journey. They are buying into the architecture and capabilities of the SIEM. It is not uncommon to see job descriptions that ask for specific skills for a particular SIEM.

Consider that data management is a large component of what the cost will be over time. It is important to plan for the amount of data that will be ingested and how it will be managed to meet organization retention goals. Many SIEMs have a pricing model that is based on the amount of data that is ingested daily, and how much data is retained over time. The more information your SIEM ingests, the more it can cost your organization. It is also important to consider how and where the data is stored. If you are using a cloud based SIEM, you could incur some additional costs versus managing your own storage.

Evolution of SIEM

SIEM has changed significantly over time, originally meeting compliance obligations for log storage, and then evolving to enhanced searching, alerting, and analytics. Over time, the capabilities of SIEM have been greatly enhanced. This had led to capabilities that include orchestration, automation, and response (SOAR). SOAR has helped security teams enrich their events with internal and external data sources, automate the review of alerts, and respond by taking actions in integrated solutions.

The challenge has now become how to implement automation and response, while consistently achieving the expected results without a human-in-the-loop. The human analyst develops important context with time and exposure; it’s important to consider the impact of automation where an analyst is not exposed to the information from an event to build context and awareness for a potentially related event.

The Next Evolution of SIEM: AI

The use of AI and large language models seem to be a natural fit for SIEM. With the proper context, AI can facilitate the job of the security analyst or detection engineer. By simply specifying what the analyst or engineer needs the AI to do, the AI could generate complex queries that are well formatted and documented – tasks that typically require humans to invest additional time and effort.

AI will be useful in training. It could provide guided learning models for analysts, and structured playbooks for security teams to follow. Tasks that may be better suited to experienced practitioners, such as guided threat hunting and incident response could be generally automated while being monitored by a junior operator. And after identifying a threat, an analyst could ask for all the existing attack paths to help prioritize the remediation efforts.

AI could also facilitate data management. Where some data sets may not have common field names, AI could facilitate searches that are table agnostic, further simplifying some of the common tasks that security teams must perform to be able to fully query their datasets and receive complete information.

Moreover, security leaders will be able to utilize these same techniques to review the performance of the SIEM, the AI, and the security team. Following an incident, the AI could review the activities, the weaknesses in the environment, and the security configurations to present a list of suggestions as to how to prevent the activity in the future based on best practices. Events could be analyzed retroactively to review false positives, and the opportunity to reanalyze emerging events with existing data and prior activity could lead to the identification of latent threats that were previously undetected.

Infrastructure Management Is Hard – Make It Easier!

Wherever you are in your Infrastructure Management journey, it’s critical to focus on fundamental security practices, maintaining high visibility and management of what is on your network or in your cloud. Managing your entire IT infrastructure is already an extremely complex task, and today’s business climate only adds additional hurdles, like economic uncertainties, cyber security threats, labor challenges, and the general expectation to do more with less. IT infrastructure management services from Park Place Technologies can help your IT team take on increasing responsibilities in the face of current business challenges.

ParkView Managed Services™ is a comprehensive suite of managed IT infrastructure solutions that helps bring order to managing your organization’s critical infrastructure while minimizing chaos and accelerating business transformation. Learn more about this combination of storage management, server management, and network management services today!

About the Author

John Parlee, Chief Information Security Officer