Prior to 2005, there used to be quite a debate over Security Information Management (SIM) and Security Event Management (SEM). This debate was ended for once and all by Amrit Williams and Mark Nicollet of Gartner when they defined SIEM – Security Information Event Management in 2005_._ As defined by Williams and Nicollet, an SIEM solution shall –
Breaking down the above-given definition between SIM and SEM, SIM specifically deals with the storage, analysis, and reporting of log data. It collects data from various security devices and the network. On the other hand, SEM processes data in real-time to monitor, correlate, and notify security events that are generated on a regular basis.
SIEM solutions were introduced somewhere around 2000 in the form of either an SIM solution or an SEM solution. The systems during this initial phase from 2000 to 2005 provided basic log aggregation across different system types along with basic event correlation techniques. These systems relied only on known threat attacks to detect an attack. Hence, they were completely unable to deal with zero-day attacks on an organization’s systems. Other limitations of systems during this period included –
In addition, other factors that played a pertinent role in the inefficiency of these systems included underestimation of costs, non-familiarization with infrastructure requirements, and limitations of relational databases.
SIEMs were initially developed because of the inability of the IT department of an organization to deal with a large number of alerts generated by IDS and IPS. As we saw in the last section, it went on to include log management capabilities by aggregating information from firewalls and other devices along with assuming the role of an information platform over the course of next ten years. Along with the addition of traditional information security techniques, SIEMs have gone onto including advanced techniques such as User Behaviour Analytics and Deep Packet Inspection. User Behaviour Analytics, or UBA, focusses on analysing user-oriented user data and user credentials. The algorithms used in UBA are based on machine learning and hence work on the predictive model. Machine learning algorithms have increased the efficiency of SIEMs by replacing rule-based algorithms. Many vendors have developed UBA tools to complement traditional SIEM systems while vendors developing new SIEM tools are including SIEM as an inbuilt tool. Deep Packet Inspection is an application of UBA by analysing data at packet-level for the articulation of user behaviour. This articulation is not only limited to a single computer but includes mobile phones and tablets as well.
Clearly, SIEM solutions have moved on from using rule-based approach and are now using artificial intelligence to reach the highest level of security. As a business owner or someone looking after an organization’s security, you must take a note that an SIEM system is as good as people managing it. Even though present-day SIEMs are AI-based, they still need human interaction for implementation, monitoring and taking proper action against the generated alerts. In addition, feel free to request a demo of LogSign to see how a present-day SIEM tool works.
With the ever-evolving threat landscape, security of endpoint devices is something that can neither be taken lightly nor ignored.
A Security Operation Center (SOC) is a well-organized team to detect, prevent, assess, and respond to cyber-threats and incidents and helps...