What is SIEM?
Initially, SIEM License technology which stands for Security Information Management, was introduced. SIM refers to the collection of log files and storage in a central repository for later analysis and therefore also referred to as log management.
After that, The Security Event Management (SEM) was introduced which is the identifying, gathering, monitoring, evaluating and correlating of system events and alerts.
Basically, SEM is an improvement of SIM and the two are seen as distinct areas of network security management. Later, these solutions have merged together shaped SIEM solution.
SIEM License is a tool that collects, aggregates and normalizes the data and analyses it according to pre-set rules and presents the data in human readable format. Overall, the responsibility of SIEM solution is listed below:
- SIEM Log Collection
- SIEM Log Aggregation
- SIEM Rule-Based Alerts
- SIEM Artificial Intelligence
- SIEM Response
Also there are SIEM functions that we are going to deep in the following.
If you are leveraging a SIEM solution, the collection of logs can be done in either two ways:
- Agent Based: Agent Collector on each device, collects parses and forwards the logs. Mostly used on Windows servers, web servers and etc.
- Agent Less: Devices send the logs to the server. Mostly used in Cloud environments (using APIs), firewalls and switches.
Basically, aggregation is the process of collecting all the logs from multiple computing systems, parsing them and extracting structured data, and putting them together in a format that can be easily searched and explored by modern data tools for further analysis.
By using parsing, software can take a specific log format and convert it to structured data and extract the needed information from the logs.
Normalization merges events containing different data into a reduced format which contains common event attributes.
categorization involves adding meaning to the events by identifying log data related to system events, authentication, local/remote operations and etc.
Log enrichment involves adding important information that can make the data more useful.
SIEM Correlation and Alerts
A correlation rule is a logical expression that causes the system to take a specific action if a particular event occurs. In other words, a correlation rule is a condition that functions as a trigger for alert.
There is the need to create an index of common attributes across all log data to effectively search and explore the log data. Searches or data queries that use the index keys can be an order of magnitude faster, compared to a full scan of all log data.
Eventually, logs are stored for different purposes such as compliance and sometimes for later retrieval. They can be kept in either a hot or cold Storage.