This is the first article of a series on a group of security products known as SIEM: security information and event management.
You are probably familiar with the fact that most computing devices log a number of events that happen on their systems, e.g. a user logs into Windows; an antivirus scanner detects a virus; a switch port is disabled; etc. As in a plane’s black box or a written log of events, the events happening inside computer systems have value: an administrator can understand what caused a user to get locked out of his computer; why the web server is no longer receiving traffic; where the origin of a worm is; etc. Since the logs are available, it will be of much more use if they can be readily accessed from a purpose-built system than if we had to go to each individual machine to retrieve them. Log management systems (LMS) were born out of this requirement.
A log management system collects logs in a central repository. This can be useful for after-the-fact reviews of incidents. What if you want to know in close to real-time what is going on in your computer infrastructure? This is where the SIEM comes in. SIEMs have considerably enhanced capabilities over LMS, but usually may not retain the logs for as long as purpose-built LMS.
SIEMs perform a few functions: they normalise, aggregate and correlate the logs. They present the logs in an easy to understand GUI. They are able to provide trending and analysis.
Normalisation: Logs come in various formats. It can require a bit of an effort to understand what logs from different products/manufacturers are trying to say. SIEMs simplify this by standardising the log content into fields that are common to the SIEM. The analyst has to understand the field within the SIEM. This is adequate to comprehend the logs.
Aggregation: There are some devices that send hundreds, perhaps thousands of similar events with just a few parameters including the timestamp differentiating between them. In the event that the distinctions are not relevant, a number of events within a short timeframe can be aggregated into one event, along with the total number of events represented in a field. This reduces the number of lines than an analyst has to look at.
Correlation: This is the key strength of the SIEM. Correlation is the ability to see relationships between distinct events that happen in the infrastructure. The events may originate from distinct products and can sometimes be separated by hours. If such relationships can be automatically found, it drastically reduces human effort in analysis. If a person’s remote login account is used and within a few minutes, their door card is used to access an office building, this might be something that security has an interest in. A SIEM can detect this sort of correlations.
The obvious next thing to do after detecting a correlation that is security-critical would be to notify the analysts of the event. This can be done via email, SMS, popups on their console, etc. SIEMs have the ability to send alerts close to real-time once an event or a correlation occurs.
Dashboards and reporting:
SIEMs come with nice interfaces that provide snapshots or current states of security in one’s environment. These may be snapshots in the form of reports, presented as charts, tables or a combination or they may be dashboards that show current states, maxima, minima, averages, etc.
SIEMs have evolved over the last decade and they now come with even more features. The ability to do user behavior analysis and integrate threat and network models are features that you will see in today’s SIEMs.
The ubiquitous Gartner magic quadrant for SIEM will give you an idea of the major players in the SIEM market as Gartner sees it. Take care to actually read their analysis and to look beyond the picture when you consider buying a SIEM for your organisation.
I will make a few more posts on SIEM in the next few weeks. I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html