Definition: What is a SIEM?
SIEM stands for Security Information and Event Management System.
Before we look at the additional benefits of an SIEM, we should clarify what its core benefits are. Wikipedia defines it as follows:
A SIEM combines the two concepts of Security Information Management (SIM) and Security Event Management (SEM) for real-time analysis of security alerts from the sources of applications and network components. A SIEM thus serves the computer security of an organization.
The term SIEM, coined in 2005 by Mark Nicolett and Amrit Williams from Gartner, encompasses
- the ability of products to collect, analyze and present data from network and security components
- the handling of security vulnerabilities
- Log files of operating systems, databases and applications
- Dealing with external threats
- Real-time alerts
A SIEM therefore helps with the monitoring of security-relevant components and with the assessment and processing of security incidents. A SIEM tailored to the customer fulfills these two objectives and thus represents the central system for security monitoring.
When designing, planning and implementing a SIEM, there are a number of challenges that need to be overcome, which generate unexpected findings and a kind of "collateral benefit". The following paragraphs show the challenges that need to be overcome when setting up a SIEM and a SOC and the additional benefits this brings.
The challenges
Adapting the SIEM to the company
The SIEM must be adapted to the company and aligned with the rest of the enterprise architecture; e.g. a connection to the CMDB (Configuration Management Database) or integration into the often already existing service management tool. A CMDB is a database that regulates the access and management of all IT resources.
If the IT and its support processes are not yet sufficiently mature, the customization process takes place both at the SIEM and at the client's systems. In this case, the processes that do not yet exist or are not suitable for security management must be created or adapted on the client's side.
Numerous parameters and databases are required to integrate and adapt the SIEM into the company:
- CMDB (Configuration Management Database)
- Employee lists
- Network plans
- Classification of systems and employees in terms of their criticality for business success.
Gaps in this documentation prevent quick decisions; the design of the SIEM is made more difficult and the project is delayed because information from these sources has to be incorporated into the configuration of the SIEM.
Outsourcing
Due to the great complexity of a SIEM project, many companies decide to outsource the set-up or have already worked with several external partners. If this is the case, now is the time to clearly regulate the collaboration. For the client's outsourcing partner, setting up the SIEM is usually not a core task and has to be carried out in addition to day-to-day business. As a result, further delays and additional work may occur during the collaboration. All organizational units - internal and external - have their own interfaces, and more interfaces lead to frictional losses in the project and thus to increased coordination effort.
SIEM and the processes in the SOC
Processes are central to a SOC, especially in the Incident Response Center. Well-established interfaces that are as lean as possible help to process and resolve security problems quickly and effectively. The necessary processes need to be checked by the customer and, if necessary, newly created and adapted to the needs of the SOC. The same applies to other support processes such as incident management, problem management, change management, service desk and others. When closing process gaps, responsibilities, competencies and accountabilities must be clarified.
The implementation of the SIEM and its peripheral systems can reveal deficiencies in documented and established processes. Firewall openings are a practical example. Despite opening, connections are occasionally not established because the necessary network route has not been configured. In this case, it is recognized that the process for opening firewall ports must be supplemented by checking or creating network routes.
SIEM complexity
Findings and benefits
In addition to the core benefits of a SIEM and/or a SOC , the following organizational improvements are achieved as part of the project work, which help to raise the company's maturity to a higher level:
- Missing or incomplete documentation is compiled or supplemented. This applies in particular to the CMDB, network plans and process documentation.
- SOC processes - not just their documentation - are created.
- Responsibilities of internal teams and outsourcing partners are clearly defined.
- Processes for the further development of the SIEM are integrated into the architecture processes. This ensures that adjustments to the IT are taken into account in the SIEM and that new or migrated IT systems deliver their log data to the SIEM.
- The Active Directory is expanded to include security classifications for employees and technical assets.
- Missing rules or incomplete policies are detected. In the run-up to SIEM/SOC projects, customers receive forms that are used to configure the SIEM platform and define the SOC processes. Typical examples include questions such as:
- Are file uploads allowed via the web gateway?
- What is the maximum size of email attachments?
- Which user groups are allowed to use Internet services: all user IDs or are admin IDs blocked? In these cases, the missing specifications can be developed in parallel to the SIEM project, for example by creating or supplementing policies.
Conclusion
A SIEM is therefore more than just a security event management system. The SIM (Security Information Management) part is very important and cannot simply be replaced by an EDR or NDR.
Setting up a SIEM increases cyber security in the company. However, the insights that can be gained in passing and without any special effort are often overlooked. As we have shown, it is worth using these findings to improve the organization and the cyber security maturity of the company.
