What is SIEM software? How it works and how to choose the right tool

Evolving beyond its log-management roots, today's security information and event management (SIEM) software vendors are introducing machine learning, advanced statistical analysis and other analytic methods to their products.

What is SIEM software?

Security information and event management (SIEM) software gives enterprise security professionals both insight into and a track record of the activities within their IT environment. 

SIEM technology has been in existence for more than a decade, initially evolving from the log management discipline. It combined security event management (SEM) – which analyzes log and event data in real time to provide threat monitoring, event correlation and incident response – with security information management (SIM) which collects, analyzes and reports on log data.           

How SIEM works

SIEM software collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters.

The software then identifies and categorizes incidents and events, as well as analyzes them. The software delivers on two main objectives, which are to

  • provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities and
  • send alerts if analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue.

Enterprise need for better compliance management drove much of the early adoption of this technology, says Paula Musich, research director at Enterprise Management Associates (EMA), a market research and consulting firm based in Boulder, Colo.

“Auditors needed a way to look at whether compliance was being met or not, and SIEM provided the monitoring and reporting necessary to meet mandates like HIPPA, SOX and PCI DDS,” she says, referring to the Health Insurance Portability and Accountability Act, the Sarbanes–Oxley Act and the Payment Card Industry Data Security Standard.

However, experts say enterprise demand for greater security measures has driven more of the SIEM market in recent years.

“Now large organizations typically look to SIEM as a foundation for standing up the security operations center,” Musich says.

Analytics and intelligence

One of the main drivers behind the use of SIEM software for security operations rests with the newer capabilities contained within many of the products on the market.

“Now a lot of SEIM technologies bring in threat intelligence feeds in addition to traditional log data, and there are multiple SIEM products that have security analytics capabilities that look at network behavior as well as user behavior to give more intelligence around whether an activity indicates malicious activity,” Musich explains.

Indeed, technology research firm Gartner in its May 2017 report on the worldwide SIEM market calls out the intelligence in SIEM tools, saying “innovation in the SIEM market is moving at an exciting pace to create a better threat detection tool.”

The Gartner report further notes that vendors are introducing machine learning, advanced statistical analysis and other analytic methods to their products, while some also are experimenting with artificial intelligence and deep learning capabilities.

According to Gartner, vendors market such advances as capabilities that can provide more accurate detection rates at a faster pace. However, Gartner points out that enterprises aren’t yet clear on whether, or by how much, these capabilities yield new returns to the organization.

Rob Stroud, a principal analyst with Forrester Research and past board chairman with ISACA, an international professional association focused on IT governance, says he sees promise in such technologies.

“With AI and machine learning we can do inference and pattern-based monitoring and alerting, but the real opportunity is the predictive restoration. This is the transition in the market now. It’s going from a monitoring tool to [the software providing] remediation suggestions,” Stroud says, adding that he expects SIEM software to even be able to automate remediation in the future.

SIEM in the enterprise

SIEM software captures only a small portion of the total dollars spent on enterprise security worldwide, according to Gartner. Gartner estimates global spending on enterprise security at nearly US$98.4 billion for 2017, with SIEM software garnering about $2.4 billion. Gartner predicts spending on SIEM technology will rise modestly, to nearly $2.6 billion in 2018 and $3.4 billion in 2021.

SIEM software is mostly used by large organizations and public companies, where compliance to regulations remains a strong factor in the use of this technology, according to analysts.

While some mid-size companies also SIEM software, small companies do not tend to need nor want to invest in it. Analysts say they’re often priced out of buying their own solution, as its annual cost can run from tens of thousands to more than $100,000-plus. Additionally, small companies don’t have the ability to hire the talent needed to maintain SIEM software on an ongoing basis.

That said, analysts do also note that some small and mid-size businesses have SIEM delivered as a software-as-a-service offering through outsourcing providers who are large enough to sell their SMB clients that service.

Currently, large enterprise users tend to always run SIEM software on-premises, due to the sensitivity of some of the data going through the system. “You’re logging sensitive things, and that’s not something that people have a lot of appetite for sending over the internet,” says John Hubbard, lead analyst for GlaxoSmithKline’s U.S. Security Operations Center and an instructor with the SANS Institute, an organization for security professionals.

However, as machine learning and artificial intelligence capabilities within SIEM products increases, some analysts expect SIEM vendors will offer a hybrid option, with some of the analytics running in the cloud.

“We’re seeing collecting and curating and intelligence via cloud; we’re seeing that emerge because the vendor can [gather and] cull through more data than an organization can,” Stroud says.

SIEM tools and vendor selection

The SIEM market has several dominant vendors based on worldwide sales, specifically IBM, Splunk and HPE. There are at least several more major players, namely Alert Logic, Intel, LogRhythm, ManageEngine, Micro Focus, Solar Winds, and Trustwave.

Musich says companies need to evaluate products based on their own objectives to determine which would best meet their needs. Organizations that want this technology primarily for compliance will value certain capabilities, such as reporting, more highly than organizations that want to leverage SIEM to set up a security operations center.

Meanwhile, she says, organizations that have petabytes of data will find some vendors better able to meet their needs, while those who have less data might opt for other options. Similarly, companies that want outstanding threat hunting will likely look for top data visualization tools and search capabilities that others may not need to have.

Security leaders need to take into account numerous other factors – such as whether they can support a particular tool, how much data they’ll have within the system, and how much they want to spend – when evaluating SIEM vendors, Musich says. For example, HPE’s ArcSight ESM is a mature tool that has a lot of functionality but requires a significant amount of expertise and is more expensive than other options.

“There’s always going to be a range of capabilities,” Musich adds. “And the more sophisticated the security is in the operations, the better use they’re going to make of the tools they have.”

Given the varying capability requirements depending on the two main drivers behind SIEM selection, Hubbard says he sees many organizations opt for two different systems, with one focused on compliance and the other focused on threat detection.

“You might collect a lot for compliance, but that can slow it down for threat detection uses. So you have a tactical SIEM for threat detections,” he says.

Maximizing SIEM’s value

Still, most companies continue to use SIEM software primarily for tracking and investigating what’s happened, says Eric Ogren, senior analyst with the information security team at 451 Research. Ogren says this use case is driven by the escalating threat of breaches and the increasingly severe fallout that leaders and organizations will face in such events.

As Ogren says: “If a company gets hacked, no CIO wants to have the board ask what happened and say, ‘Damn if I know.’ They want to say, ‘We’re going through log data to find out what happened.’”

At the same time, though, many companies now are moving beyond that and are increasingly using the technology for detection and near real-time response, Ogren says.

“The game now is: How fast can you detect?” he says, adding that the evolving machine learning capabilities are helping SIEM systems to more accurately identify unusual and potentially malicious activity.

Despite such advances, organizations continue to be challenged in their abilities to maximize the benefits and, thus, the value they get even out of existing systems, experts say.

There are various reasons for that.

First, SIEM technologies are resource intensive and require experienced staff to implement, maintain and fine-tune them – staff that not all organizations have fully invested in yet.

“A lot of organizations bring in the technology because they know it’s something they want but they don’t have the staff or they don’t get the staff the training they need to use it,” Stroud says.

SIEM software also requires quality data for maximum yield – “The bigger data source you give it, they better it gets and the better it can see outliers,” Stroud explains. Yet organizations continue to struggle with defining and providing the right data.

And even with strong data and a sophisticated team running the SIEM technology, the software itself has limits, analysts say. They point out that it is not completely accurate in detecting what’s acceptable activity and what’s a legitimate potential threat – a discrepancy that leads to high numbers of false alerts in many deployments.

That scenario necessitates strong governance and effective procedures within the enterprise so that the security teams don’t succumb to alert overload.

Stroud says security professionals often start by chasing down a staggering amount of false alerts. Sophisticated organizations will learn to tune the tooling overtime so that the software understands what are usual events and thereby lower the number of false alerts.

On the other side, however, he says some security teams will skimp on that step and instead tune out more of the false alerts out of habit – a practice that risks missing real threats.

Musich says the more sophisticated organizations also write scripts to automate more of the mundane functions, such as pulling contextual data from different sources to put a more complete picture around alerts to speed investigations and identification of real threats.

“It takes good processes as well as a maturity in the security operations,” she adds. “That means having it not just be a tool unto itself but having it integrated with other technologies and having an overall process to guide the activities.”

It’s moves like that, she says, that can reduce the time staff spends on lower-level activities and instead allow them to redirect their energies to the high-value tasks that elevate the company’s entire security posture.

Show Comments