What Is SIEM?

And why is it a critical security tool?

What is SIEM?

The security information and event management, or SIEM definition, according to TechTarget is, “an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system.” 

Security information and event management systems address the three major challenges that limit rapid incident response:

  1. The vast amount of unaggregated security data makes it hard to see what’s happening and prioritize threats.
  2. IT teams are understaffed/undertrained due to the cybersecurity skills gap.
  3. The need to demonstrate compliance takes time away from threat identification and response.

What is SIEM? Next-Level Architecture Explained

SIEM systems are critical for organizations mitigating an onslaught of threats. With the average organization’s security operations center (SOC) receiving more than 10,000 alerts per day, and the biggest enterprises seeing over 150,000, most enterprises do not have security teams large enough to keep up with the overwhelming number of alerts. However, the growing risk posed by ever more sophisticated cyber threats makes ignoring alerts quite dangerous. A single alert may mean the difference between detecting and thwarting a major incident and missing it entirely. SIEM security delivers a more efficient means of triaging and investigating alerts. With SIEM technology, teams can keep up with the deluge of security data. [Link to new problem education paper in progress]

Security information and event management (SIEM) solutions collect logs and analyze security events along with other data to speed threat detection and support security incident and event management, as well as compliance. Essentially, a SIEM technology system collects data from multiple sources, enabling faster response to threats. If an anomaly is detected, it might collect more information, trigger an alert, or quarantine an asset.

While SIEM technology was traditionally used by enterprises and public companies that needed to demonstrate compliance, they have come to understand that security information and event management is much more powerful. The SIEM technologies have since evolved as a key threat detection tool for organizations of all sizes. Given the sophistication of today’s threats and that the cybersecurity skills shortage is not improving, it is critical to have security information event management that can quickly and automatically detect breaches and other security concerns. SIEM capabilities are driving more small and medium-sized organizations to deploy a security and event management solution as well.

 

 

How SIEM Works?

Some organizations may still be wondering, “What does SIEM do?”  SIEM technology gathers security-related information from servers,  end-user devices, networking equipment, and applications, as well as  security devices. Security event and information management (SIEM) solutions sort the data into categories and when a potential security issue is identified, can send an alert or respond in another manner,  according to pre-set policies. The aggregation and analysis of data gathered throughout the network enable security teams to see the big picture, identify breaches or incidents in the early stages, and respond before damage is done.

SIEM systems ingest and interpret logs from as many sources as possible including:

  • Firewalls/unified threat management systems (UTMs)
  • Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
  • Web filters
  • Endpoint security
  • Wireless access points
  • Routers
  • Switches
  • Application servers
  • Honeypots

SIEM systems look at both event data and contextual data from these logs for analysis, reports, and monitoring. IT teams can effectively and efficiently respond to security incidents based on these results.

   

Why SIEM: Critical Benefits?

Security information and event management solutions provide key threat-detection capabilities, real-time reporting, compliance tools, and long-term log analysis. The top benefits are:

  • Increased security effectiveness and faster response to threats. To be useful, a security and event management solution must “enable an analyst to identify and respond to suspicious behavior patterns faster and more effectively than would be possible by looking at data from individual systems,” according to the SANS Institute. To be truly effective, it must be able to prevent successful breaches.

  • Efficient compliance demonstration. SIEM technology should also make it easy for SIEM IT teams to track and report compliance with industry and governmental regulations and security standards.

  • Significant reduction in complexity. Consolidating security event data from multiple applications and devices enables fast and comprehensive analysis. In addition, repetitive tasks are automated and tasks that previously required experts can be performed by less experienced staff. 

 

Choosing a SIEM Vendor: Your Buying Guide

“The global security information and event management market accounted for $2.59B in 2018 and is expected to grow at a CAGR of 10.4% during the forecast period 2019 - 2027, to $6.24B by 2027,” according to a recent SIEM report by Research and Markets

This fast-growing market feeds a lot of competition, so it’s important to know what to look for in a security information and event management solution. At the very least, a SIEM solution must be able to:

  • Collect data from every security device
  • Aggregate, correlate, and analyze the data
  • Automate wherever possible
  • Monitor business services, not just devices

For more details on what really matters when selecting a SIEM solution, read the eBook.

Most organizations will want more than just basic functionality from a security information and event management solution. The following checklist provides guidance on specific features that will maximize return on investment (ROI):


Seamless integration into existing security and network architectures
Whether the security architecture is based on the Fortinet Security Fabric or a multi-vendor environment, a security information and event management solution must integrate seamlessly. It needs to be able to automatically discover and ingest data from numerous security and IT devices, including those that are region-specific or industry-specific.

At the outset, it must include flexible deployment options, rapid deployment, and be easily customizable, without the need for extensive professional services.

The solution also must be able to scale with business growth.


High-fidelity, prioritized alerts
Without event correlation and analysis, even consolidated data is worthless. The SIEM solution must use multiple methods to determine what conclusions should be drawn from the data.

Also, key is to employ an intelligent infrastructure and application discovery engine that automatically maps the topology of both physical and virtual infrastructure, on-premises and in public/private clouds, providing context for event analysis. This eliminates the wasted time and errors that can occur when this information is added manually.

Further, a top SIEM solution will correlate user identities with their network (IP) addresses and devices. This event context, together with robust rule sets and advanced analytics, enables threat prioritization, flagging those that require immediate attention. As a result, administrators can address high-risk events promptly and offload low-risk events to automated response processes.


Automated incident mitigation
An ideal SIEM solution uses security orchestration automation and response (SOAR) to orchestrate the appropriate response through multi-vendor security devices. It can respond automatically or alert a human operator, depending on the event’s level of risk and complexity. This flexibility helps organizations achieve the right balance of response speed and human oversight in the face of explosive growth in security data and the acceleration of threats.


High-value business insights from a single pane of glass
Typical security information and event management solutions do not present event information in a business context. However, this is very useful and should be included. For example, a SIEM dashboard could be configured to present the status of the company’s e-commerce service, rather than the status of the individual devices—servers, networking equipment, and security tools—that support that service. This enables the security team to deliver meaningful updates to the lines of business.

Alternatively, security administrators can quickly see which business services would be impacted if a particular device were unavailable or compromised. Most importantly, a single staff member can oversee all security information and event management activities from a central console.


Compliance-ready reporting
A solution with pre-defined reports supporting a wide range of compliance auditing and management needs including PCI-DSS, HIPAA, SOX, NERC, FISMA, ISO, GLBA, GPG13, and SANS Critical Controls helps security teams that have also taken on compliance duties. SIEM security teams can save time and minimize compliance training. Meeting audit/reporting deadlines without having to acquire in-depth knowledge of regulations and reporting content requirements is also advantageous. 

Why Fortinet FortiSIEM?

Security management only gets more complex as more applications, endpoints, IoT devices, cloud deployments, virtual machines, etc. are added to the network. To secure this exploding attack surface requires visibility of all devices and all the infrastructure—in real time. But context is also needed. Organizations need to know what devices represent a threat and where.

Fortinet’s security information and event management system, FortiSIEM, brings together visibility, correlation, automated response, and remediation in a single, scalable solution. FortiSIEM reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. What’s more is that Fortinet’s architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM essentially combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.

Top features of FortiSIEM include:

asset self discovery

Asset self-discovery to reduce false positives by understanding a device’s contextual capabilities

integrations and scalability

Rapid integrations and scalability with network-aware and vendor-agnostic operations and management to enable a real-time business view of availability, utilization, and security posture    

automated workflow

Automated workflow driven by a leading security orchestration and automated response engine (SOAR) to quickly respond to threats    

single pane of glass

Single-pane-of-glass view brings teams together to swiftly remediate service issues    

The FortiSIEM security information and event management solution goes beyond the considerations of a typical solution on the market. Besides including seamless integration, high-fidelity, prioritized alerts, automated incident mitigation, high-value business insights from a single pane of glass, and compliance-ready reporting it has a number of other essential capabilities.

FortiSIEM’s value is summed up by eWeek: “This solution provides core SIEM capabilities in addition to complementary features that include a built-in configuration management database (CMDB), file integrity monitoring (FIM), and application and system performance monitoring.” The FortiSIEM CMDB engine automatically discovers all the elements (devices, applications, users, IoT devices, etc.) connected to the network, and their respective interrelationships. The SIEM delivers a comprehensive and holistic topology map that continues to self-learn and report on any changes beyond the initial baseline.

FortiSIEM is available in a number of form factors to fit smoothly into any network architecture: hardware appliances, virtual machines, and on Amazon Web Services (AWS). Physical appliances with varying levels of performance are available to provide a variety of options. The FortiSIEM architecture is a scale-out, enterprise- and service provider-ready, multitenant framework. Each FortiSIEM Collector can monitor more than 10,000 security events per second (EPS) and more than 1,000 devices for high performance and availability.

Enterprise Strategy Group (ESG) performed an in-depth examination of FortiSIEM’s capabilities and effectiveness in a SIEM technical validation test. ESG Lab confirmed that Fortinet’s FortiSIEM “delivers context, visibility, and rapid response by cross-correlating security, performance, and availability data from heterogeneous systems. This enables a security organization to discover, investigate, and respond to security, performance, and availability events rapidly, which provides the tools needed to address incidents completely with swift, focused, confident action. By shortening the time from detection to resolution, organizations can shave valuable time off their remediation processes, saving not just time, but effort, and money.”

The test concluded, “FortiSIEM’s unique capabilities in cybersecurity and IT operations management provide the real-time and historical analytics—with correlated context—needed for organizations to confidently detect and resolve anomalous activity and incidents and preserve business continuity.”

Learn more about Fortinet FortiSIEM