What Is SIEM: Understanding SIEM Tools

Technology companies love abbreviations and acronyms.

Starting with what’s probably the original tech company, International Business Machines (better known as IBM), initials, abbreviations and acronyms continue to dominate the personal computer (PC), telecommunications (telco), security operations (SecOps), and many other tech industries.

Speaking of security, one acronym that is increasingly important to SOC (that’s security operations center) teams is SIEM, formally known as security information and event management.

This post will answer several SIEM-related questions, including:

• What Is SIEM?
• How Does SIEM Work?
• What Are SIEM Tools?
• What Is Next-Gen SIEM?

What is SIEM?

SOCs began using SIEMs about 15 years ago. When it comes to defining SIEM, let’s start with the perspective of the leading research and advisory company.

According to Gartner, security information and event management (SIEM) technology is used for threat detection, investigation, compliance and security incident management by collecting and analyzing (both near-real-time and historical) security events, along with many other event and contextual data sources.

“The underlying principles of every SIEM system,” according to SearchSecurity, “is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. For example, when a potential issue is detected, a SIEM system might log additional information, generate an alert and instruct other security controls to stop an activity’s progress.”

A key component of SIEM is log management. That’s one of the core capabilities of the Devo Platform on which our Security Operations application operates.

How does SIEM Work?

SIEM solutions ingest data and events from security sources and bubble up critical events that require action. But times — and security technologies — have changed, and the demands placed on SIEMs have changed as well. The perimeter, where most security data once originated, has disappeared as services and infrastructure have moved to hybrid cloud and multicloud environments, and users have moved to mobile devices and work-from-home scenarios.

SIEM software collects log and event data generated by applications, devices, infrastructure, networks, and systems to analyze and provide complete visibility into view of an organization’s data. SIEMs analyze data in real time using rules and statistical correlations to give SOC analysts actionable insights they can use in investigations. SIEM solutions sort threat activity by risk level so SOC teams can identify threats and quickly take decisive action.

What Are SIEM Tools?

The first SIEM tools were on-premises software deployed in dedicated servers on the customer’s premises. These either required a team of people on site to manage and update the tools or companies could pay the vendor to handle those tasks for them. This option typically drove up the cost of operating a SIEM to often unacceptably high levels, especially as organizations grew and generated more data that needed to be logged and stored.

There are many SIEM tools on the market for organizations to consider. Some are best suited for very large organizations while others specialize in the needs of small and medium-sized businesses. The biggest differences in SIEM tools for SOCs come in the areas of licensing costs, deployment types, and the amount of ongoing service they require from the vendor. Read more about SIEM tools in our blog post Which Vendors Should Be on Your SIEM Tools List?

As the amount of data has grown exponentially, the original concept of an on-premises, hardware-centric SIEM has increasingly fallen out of favor. Fortunately, there is an excellent alternative available for today’s increasingly cloud-centric organizations.

What Is Next-Gen SIEM?

Organizations of all types and sizes need to protect more attack surfaces than ever before, in a more connected world, with more data being generated than at any time in history. And the stakes have never been higher. The spoils for attackers have increased dramatically, leading to an exponential increase in the number and sophistication of adversaries. For these reasons, in the last few years, a new type of SIEM has emerged: the next-gen SIEM.

So, what exactly is a next-gen SIEM? Many vendors, including legacy SIEM providers, lay claim to the “next-gen” label. How can you tell the difference between a legacy SIEM and a true next-gen SIEM? And what criteria should you use to evaluate vendors? 

Here are some core criteria that distinguish legacy and next-gen SIEM vendors:

• Legacy SIEMs are on-premises and if vendors claim they are now “in the cloud,” that generally means the same legacy technology was simply “lifted and shifted” into the cloud. Running an on-prem version of a SIEM solution in the cloud but managing it yourself is not the same as software as a service (SaaS). In other words, it’s not a next-gen SIEM.
• Does it offer easy integrations? For a next-gen SIEM to deliver full value to your organization, it must integrate seamlessly with all of the data sources, threat intelligence tools, and other technologies in a SOC that enable analysts to stay on top of the threat landscape.
• Does it provide the context SOC analysts need? Fast, accurate threat hunting, investigation and response are possible only when analysts have full context about the alerts crossing their screens. Devo enables analysts to focus on the threats that matter most by enriching data with known threat activity, prior investigation history, and third-party intelligence feeds.
• Does it make analysts more effective? A true next-gen SIEM empowers analysts to use their expertise to stop cyberthreats, instead of spending their time maintaining the solution. It also makes collaboration among team members seamless.

Want to learn more about SIEM solutions, how they work, and what a true-next-gen SIEM delivers? Check out The Buyer’s Guide to Next-Gen SIEM.