SIEMs are monitoring and supervision systems that allow anticipating or detecting security incidents that affect information availability, integrity, and confidentiality. SIEMs are the central core of the monitoring and supervision of an organization’s ICT assets.
By processing the security events of the different information and communication systems, they anticipate or detect information security incidents. In addition, they are the primary tool used by the Security Operations Centers, SOCs (Security Operations Centers), for incident management.
The management of information security incidents consists of detecting these, their analysis and an adequate response when they occur to contain and eradicate them. SIEMs play a critical role in detection and analysis.
How does SIEM work?
SIEMs receive the logs of the different information systems (servers, databases, applications…), network devices (routers, switches, etc.) and other security solutions (firewalls, IDS / IPS, proxies, NAC…). Therefore, it is essential to differentiate between a SIEM and a Syslog. However, the purpose of the Syslog is to centralize all the logs of the technological infrastructure of an organization; SIEM is responsible for detecting security incidents.
The SIEM standardizes the logs received from the different ICT assets; that is, it transforms them into a suitable structure to work with, which is common to all of them. In other words, it transforms them into events.
Once the logs have been normalized and the information transformed into events, the SIEM correlates the events received from the assets and relates them by applying a layer of intelligence to detect suspicious patterns, abnormal behaviours, etc., indicating that a security incident may occur or is occurring.
How to implement a SIEM?
In general, to implement a SIEM, we will follow the following steps:
- Identify the critical business processes of an organization, the electronic services that support them and the ICT assets that support these services.
- From an information security point of view, determine the source of information, communications, and security systems that need to be supervised.
- Identify the systems that will send the logs of the ICT assets to be supervised to SIEM that is, the information sources that will notify SIEM.
- Review the audit configuration of the different ICT assets to be monitored to ensure that the logs they are sending are adequate and optimal from an information security’s perspective.
- Carry out the necessary configurations in the SIEM information sources to send the logs.
- Make the required adjustments in the SIEM configuration, correlation rules, notifications, alerts, etc.
- Model new use cases adapted to the needs of the organization.
- Debug false positives by fine-tuning the rules.
What about SIEM in the cloud?
A SIEM solution in the cloud offers even more benefits. For example, you can simplify and reduce deployment, administration, maintenance, and scaling time compared to local versions.
In addition, the company now has security, support and high availability offered by the SIEM provider in the cloud. Especially for small and medium-sized businesses, there are countless benefits to transferring platform and software management to a SIEM provider.
They now have access to advanced analytics and more frequent content updates and don’t have to worry about significant up-front investments.
Cloud-based SIEM services are generally based on usage rates. Therefore, they require regular adjustments, customization, and constant monitoring to respond quickly to incidents and mitigate damage.
SIEM cloud options
Google Cloud: Chronicle
Chronicle is a software-as-a-service SIEM based on Google’s core infrastructure. It leverages data platforms that power some of Google’s most significant products to solve collection, correlation, hunting, detection, and reporting use-cases on multi-cloud and on-premises security logs.
It saves 365 days of raw and normalized logs by default, making them searchable, detectable, and reportable.
It eliminates the traditional barrier that more data equals poorer performance, allowing users to scale threat detection and hunt petabytes of data.
Customers only need to transmit raw security logs to Chronicle, and the company’s SaaS platform will do the rest, including data engineering, to make the data valuable to security professionals.
Microsoft: Sentinel
Microsoft Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise. Microsoft Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud, letting users reason over millions of records in a few seconds. In addition, it includes built-in connectors for easy onboarding of popular security solutions. Collect data from any source with support for open standard formats like CEF and Syslog.
AWS: SIEM solutions available in AWS Marketplace
Devo: The Devo Platform and integrated apps provide cloud-native logging and security analytics that security teams need to better detect and respond to threats.
IBM Security QRADAR: IBM Security QRadar SIEM provides centralized visibility and insights to quickly detect and prioritize threats across networks, users, and the cloud.
Securonix: Securonix Next-Gen SIEM delivers unlimited scalability, ML-based analytics, threat modelling with MITRE ATT&CK, and automated incident response.
Splunk: Splunk Cloud enables you to take decisive actions on insights from your data without the need to purchase, manage, and deploy additional infrastructure.
Sumo logic: Sumo Logic Cloud SIEM Enterprise automatically analyzes and correlates security data to help SOC analysts discover and resolve critical threats faster.
Oracle Cloud: Automated SaaS Cloud Security Services
The SIEM infrastructure is deployed and maintained automatically as part of the ASCSS infrastructure at Oracle.
To wrap-up
A SIEM solution is essential for an organization to face cyber-attacks, providing it with the necessary business intelligence to be in a position to make decisions and carry out practices and procedures in favour of prevention early response required to protect data.
For those who prefer SIEM as a solution in the cloud, it can bring many benefits to organizations since it reduces environmental risks and guarantees adequate protection of corporate data. Therefore, it is essential to choose the best service provider so as not to miss any security information event of your company.
Additional Resources
Oracle Automated SaaS Cloud Security Services
SIEM solutions available in AWS Marketplace
Google Cloud Chronicle documentation
Microsoft Sentinel
We want to hear what you think about this article, how can we improve it. Your feedback is important to us.
Want to hear more from you. Click here