Skip to content

Chapter 7

Security Information and Event Management (SIEM) Systems

SIEM (Security Information and Event Management) is a technology that helps businesses aggregate historical and real-time security logs and event data from various systems like host systems, applications, networks, and security solutions in a single platform. The objective of a SIEM is to offer threat detection, compliance, and security incident management, and it does this by providing more awareness and visibility around IT environment security via a single dashboard. SIEM combines Security Information Management (SIM) and Security Event Management (SEM) solutions to enable security teams to gain insights into attacks by reviewing tactics, techniques, procedures, and known indicators of compromise.

What is a SIEM?

SIEM helps organisations handle security events by aggregating log and security data from various sources, helping to detect, investigate, and respond to a rising number of security events. The technology also helps to manage all security challenges brought about by a hybrid environment and automates to reduce costs, avoid manual work, and respond more quickly to security events.

Detection & Response hasn’t changed much in 15 years…

Ingestion / Normalisation

  • All data consolidated in on-prem repos
  • Lots of data not used for security
  • Most data used isn’t available for more than 90 days
  • Scale prohibitive pricing

Threat Intelligence

  • Many data providers
  • Lots of noisy data
  • The heavy lift of integration, refinement & management done by customers
  • Requires security expertise

Detection

  • Complex rulesets
  • Hard to write and maintain
  • Not enough behavioural/AI/ML

Triage / Enrichment

  • Large numbers of false positives
  • Severity prioritisation
  • Manual queries against many data sources
  • Stitching is error-prone even if data is available

Investigation

  • Manual queries on multiple systems
  • Joined data in spreadsheets or collabs
  • Security expertise required
  • Analyst tiers not used ideally

Remediation/IM

  • Additional systems for remediation
  • Hand-crafted, brittle workflows
  • SOAR is the most significant evolution

What Customers Usually Struggle With, and SIEM Solves

  • Alert fatigue: Security analysts stop looking at alerts. The more alerts analysts receive, the less important each one becomes. Security analysts are no longer capable of paying attention to each and every alert because the number of security events goes up. The more alerts received, the more false positive alerts they receive and the higher the chance of alert fatigue. The biggest risk? Not responding at all because your alert was snowed by others.  
  • Multiple environments: In today’s hybrid working environment it is challenging to secure an environment that combines infrastructure on-premise, in the cloud and other locations. Managing all the security challenges that a hybrid environment brings is challenging. 
  • Lack of automation: Year after year, you will be receiving more security alerts. This makes it more difficult to manually respond, but also increases the chance of alert fatigue when dealing with too many false positives. We need to keep the 10X rule in mind: automate to reduce costs, avoid manual repetitive work and respond faster to your security events. 
  • Smart detection: Don’t only think about treats you know, but also find ways to detect those you don’t know yet.
  • Tool integration: There are too many vendors; how do you stitch it all together when you get an alert on an end-point, correlate it on a firewall and something that is noticed on the web proxy? Many companies struggle to stitch it together. 
  • Data retention : Usually, 203 is the days average before they see an intruder in an infrastructure. A lot of companies limit this to 90 days. When you see an incident, you need to go back in time, but if it happened too long ago you will never find it again in your data set. 

One of the most significant challenges businesses face and SIEMs solve is alert fatigue, which occurs when security analysts receive high-volume alerts, causing them to overlook important ones. SIEM helps to address this by providing the necessary context that allows analysts to differentiate between high and low-priority alerts. 

The other challenges include the difficulty of securing an environment combining:

  • Infrastructure on-premise
  • Lack of automation 
  • Smart detection
  • Tool integration

Lastly, data retention can be a problem as companies tend to limit data retention to reduce the cost of long-term data storage.

Cloud-Native SIEM vs. Legacy SIEM

Legacy SIEM was built primarily for on-premises and added cloud environments into the same technology. On the other hand, Cloud-Native SIEM, such as Google’s SIEM, was born and made for the cloud. An example of this is Google’s very own Chronicle SOAR. It scales queries to carry a maximum of a few minutes, and there is a lower risk of undetected threats, lack of context, and enrichments. Additionally, the pricing model often discourages ingesting all security telemetry, leading to situations in which the security infrastructure has limited capabilities. However, with Google Cloud, businesses can bring extra data into their SIEM without incurring additional costs, making it more powerful.

Chronicle SIEM Impact

Features to Consider When Selecting a SIEM Solution

  • Integration with other controls: Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?
  • Artificial intelligence (AI): Can the system improve its accuracy through machine learning and deep learning?
  • Threat intelligence feeds. Can the system support threat intelligence feeds of the organisation’s choosing, or is it mandated to use a particular feed?
  • Extensive compliance reporting: Does the system include built-in reports for common compliance needs and provide the organization with the ability to customize or create new compliance reports.
  • Forensics capabilities: Can the system capture additional information about security events by recording the headers and contents of packets of interest

Chronicle is Google’s Cloud-Native Security Information and Event Management Solution. Its goal is to enable security teams to detect, investigate and respond to threats at Google Speed and Scale. 

What can Chronicle do for you? 

It’s a full-stack platform to build on. When running security operations, you need to have one starting point. Chronicle is ideal for this because it gets all the alerts and events from different sources and combines them into one single source of truth. It will help your SOC to build automated tracks from this starting point. 

You can move your intelligence feeds, log files, and data feeds. Everything you have, you start putting it into Chronicle. The moment you have data here, it will give you value. It will help you detect from then and onwards. 

What’s next? 

Take your SIEM a step further. Choose Automation using a platform like Chronicle SOAR. 

  • Leverage automation 
  • Out-of-the-box playbooks for standard use cases 
  • Easy to use and intuitive playbook designer, leveraging 300+ integrations 
  • Close the loop from detection to response – at scale

Limitations of SIEM

Despite its benefits, there are still some limitations of SIEM, including the following:

  • Usually, it takes a long time to implement because it requires support to ensure successful integration with an organisation’s security controls and the many hosts in its infrastructure. It typically takes 90 days or longer to install SIEM before it starts to work.
  • It was expensive. The initial investment in SIEM can be hundreds of thousands of dollars. And the associated costs can also add up, including personnel to manage and monitor a SIEM implementation, annual support, and software or agents to collect data.
  • Analysing, configuring and integrating reports require the talent of experts. That’s why some SIEM systems are managed directly within a security operations centre (SOC), a centralised unit staffed by an information security team that deals with an organisation’s security issues.
  • SIEM tools usually depend on rules to analyse all the recorded data. The problem is that a company’s network generates a large number of alerts — 10,000 per day — which may or may not be positive. Consequently, it’s hard to identify potential attacks because of the number of irrelevant logs.
  • A misconfigured SIEM tool may miss essential security events, making information risk management less effective.