Security Information and Event Management (SIEM)

Security Information and Event Management (SIEM) is a monitoring system that aggregates data from different security sensitive sources, analyzes the data, presents it and issues alerts when triggering-criteria is met. SIEM data is ingested from different sources, including the network, security controls, servers, databases, applications, etc. The data is analyzed to detect abnormalities that may indicate a problem. Data from different sources is often correlated to provide more meaningful context for individual events.

SIEM outputs alerts for suspicious events to a dashboard or third-party channels such as email. Data presented on the dashboard assists analysts in identifying abnormal activities. Alerts can be configured to trigger security controls to collect additional data or enforce a blocking action to prevent an attack.

Basic SIEM systems employ a rules-based approach to alerting. More advanced systems utilize machine-learning to analyze the vast amounts of data that they collect.

SIEM systems are also used for data retention purposes, to support forensic investigations and to comply with data retention requirements/regulations.

Frequently Asked Questions
What are the capabilities that define SIEM?

SIEM capabilities generally include:
• A log ingestion and aggregation module that takes in logs from different sources.
• An analysis engine that correlates data from different logs and analyzes the data using rules or more advanced machine learning capabilities.
• An alerting module that throws alerts to a dashboard or sends them via third party channels such as email.
• A dashboards for displaying alerts, data summaries and charts.
• Compliance module capable of producing automated reports from the data that comply with specific reporting requirements.
• Data retention module for storing historical data.
• Forensic analysis capability that enables an analyst to explore and analyze logs in an effort to uncover suspicious events.

What are Host Intrusion Prevention System Alerts?

Host Intrusion Prevention System (HIPS) is a security control that monitors a host for suspicious activity by analyzing events occurring within that host. It aims to stop malicious code by monitoring its behavior instead of looking at the code signature. HIPS alerts are issued when suspicious behaviors are detected and can be fed into a SIEM system.

What is Splunk?

Splunk is software for searching, monitoring, and analyzing machine-generated data. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Splunk is used by some customers as a SIEM.

What is SIEM used for?

Security information and event management (SIEM) products and services combine security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware.