Security Information and Event Management (SIEM, pronounced as “sim”) is a subfield within cybersecurity and a group of tools that address the monitoring, logging, alerting and analysis of what happens on computers, servers and networks.
It is the combination of Security Information Management (SIM), the logging and conservation of relevant security data, and Security Event Management (SEM), the real-time monitoring and correlation of security incidents.
SIEMs can exist as software, a platform combining software and hardware, or an off-the-shelf service. They aggregate, correlate and present a holistic view of cybersecurity events. Automating these tasks tends to improve key cybersecurity detection and remediation metrics, notably the average time it takes for cybersecurity teams to detect (mean-time-to-detect, MTTD) and respond (mean-time-to-respond, MTTR) to cybersecurity incidents.
What do they do?
As the combination of SIM and SEM, SIEM serves as an alert system and, importantly, a logging tool. Because cybersecurity operators cannot deal with all alerts in real-time, logging allows them to review the backlog of alerts and audit systems. When they detect a potential threat, logging and auditing enable specialists to perform forensic analysis of the affected systems.
SIEM relies on several NIST protocols. For example, SP 800-92 (Computer Security Log Management) lays out how to log security incidents. SP 800-53 AU-2 (Event Monitoring) relies on the CIA triad (Confidentiality, Integrity, and Availability) to classify security incidents. More advanced features, such as SP 800-53 RA-10 (Threat Hunting), actively seek Indicators of Compromise on computers, servers and networks. NIST published a Computer Security Incident Handling Guide to assist SIEM operators and first responders.
Detecting anomalous network behaviour, for instance, can help detect intrusions that use zero-day vulnerabilities that are, by definition, unknown. SIEMs can also detect the exfiltration of data by an insider threat, such as an aggravated or compromised employee. Most SIEMs also monitor email servers and can help detect phishing.
How does SIEM integrate with Security Operations Centres?
SIEMs, regardless of how they are provided and operated, can be integrated within a Security Operations Centre, or SOC. SOCs are the physical place where security operators monitor networks and assets. SOCs always operate (24/7) and, most often, rely on six to eight hour-long shifts to maintain permanent human supervision.
SOCs can operate at an organization-wide perimeter. They then perform the function of a hypervisor, a centralized entity that sees and monitors everything. Large companies or institutions (e.g., multinational corporations, ministries, armed forces) can deploy several subsidiary SOCs along with geographic or functional areas of responsibility, according to the principle of subsidiarity: The local SOC deal with logs and alerts in the first instance, while the hypervisor maintains a holistic vision of the systems and networks.
What’s the difference between SIEM, IDS and IPS?
Although they are related, SIEMs should not be confused with Intrusion Detection Systems (IDS). An IDS, as its name indicates, is a passive system that monitors network activity. It can be placed at the level of the computer (host) or of the network and can be configured with custom rules, such as banning unknown Virtual Private Networks (VPN) or blocking IP addresses from certain countries or locations.
An Intrusion Prevention System (IPS) is a more advanced version of an IDS. Instead of merely detecting potential attacks, IPSs can automatically deploy soft countermeasures against suspected intrusions. This can consist in banning or redirecting nefarious parts of network traffic (packets) to an address that leads essentially nowhere, a method known either as black-holing or sink-holing.
Both IDS and IPS fulfil, in effect, one brick of what SIEMs entail: most SIEMs include an IDS or IPS.
What are the challenges facing SIEMs and SOCs?
Computer and network monitoring deals with an overwhelming amount of data. This creates at least two problems, the first being how tight to set the net: If the SIEM is too sensitive, it will report too many unwarranted alerts or false positives. On the other hand, if the setup is too tight, it will miss relevant security incidents.
Second, and perhaps most importantly, is the issue of human capabilities. Human operators cannot maintain high levels of attention and efficiency over long periods. In addition to the risk of fatigue, they face the issue of automation bias - humans inevitably trust the system too much, causing a loss in critical thinking and over-reliance on the system assessment. Other biases include attentional bias, attenuation and the backfire effect. For a comprehensive literature overview of relevant decision-making biases, see Johnson and Gutzwiller, 2020.
This dual challenge, both qualitative and quantitative, lies in representing information in a discriminate and efficient - yet accurate - fashion. Innovation in the field includes representing alerts in a 3D environment or as music, the latter is known as sonification (Axon et al., 2020). The field of cognitive cybernetics (Cassenti et al., 2018) is also developing to provide new ways to reduce these risks.