SIEM (Security Information and Event Management) is a solution for cyber security monitoring, detection, and investigation, SIEM collects, manages, and analyzes event logs generated by networks and systems, contributing to early detection of security incidents and prompt response.
SIEM is primarily used in a Security Operations Center (SOC), an organization that monitors security within an organization and understands the occurrence of cyber attacks and incidents, SIEM is an important tool for security professionals to support efficient security operations in the following ways
Alert notification through integrated log management: SIEMs manage various logs in an integrated manner and detect signs of abnormal activity or attacks, and alert security personnel. For example, in addition to detecting malware and other unauthorized behavior, SIEM will alert you when suspicious events are detected, such as multiple login attempts to servers where critical information is stored, or use of cloud services not authorized by your company.
Incident investigation and response: Based on unauthorized or suspicious events, SIEM investigates whether or not it is a cyber attack (normal behavior, access error, etc.). If determined to be a cyber-attack, the route and scope of the attack, including whether it is an external or internal cyber-attack, can be traced to provide clues for incident response. The following measures will be taken
Reporting: From a medium- to long-term perspective, visualize the status of violations of your company's security policies and the impact of cyber attacks, and create a report. By visualizing what kind of cyber-attacks the company has been subjected to over a period of one month, three months, six months, one year, etc., the company can consider what security measures it should take next.
The main use cases of SIEM are listed above, but the greatest benefit of SIEM for security personnel is the ability to quickly visualize events and log information from multiple different products and link them to the next action.
xWhile SIEM brings benefits to SOCs and other organizations in terms of improved security and operational efficiency, it also presents the following challenges.
Complex implementation and configuration: SIEMs are complex systems that require time and expertise to implement and configure. Security professionals must continually work to integrate device logs and data sources, configure rules, and tune alerts.
Processing large amounts of log data: A large amount of log data must be processed and analyzed. Appropriate hardware and storage resources are needed to process large amounts of data. It is also necessary to manage log data retention periods and data compression/reduction.
Ongoing response to false positives and alert overload: SIEMs generate alerts based on predefined rules and patterns. However, false positives (false positives: legitimate activity mistakenly detected as malicious) and false negatives (false negatives: malicious activity missed) can occur. Also, depending on the configuration, a large number of alerts may be received, requiring continuous tuning of alerts and improvement of rules on the user side.
Response after incident detection: When an event is detected in real time, the actual incident must be confirmed and responded to. If security personnel does not tune up alerts ahead of time, they will be required to respond to alerts of various sizes, which may in turn reduce operational efficiency.
Skill and resource requirements: Proper implementation and operation of SIEM requires security analysis and log management skills. It also requires the availability of appropriate resources (personnel, hardware, and software).
Similar to SIEM as a tool to improve security level and efficiency is XDR (Extended Detection and Response). The differences between SIEM and XDR are as follows:
Data collection targets and contextualization
Analysis and detection
Incident Response and Automation
Dependence on the source