To start, SIEM stands for Security Information and Event Management.
So, what does a SIEM do exactly?
SIEMs are typically used in larger enterprises to collect enormous amounts of logs and telemetry from workstations, servers, firewalls, vulnerability scanners, etc.… You get the point. Cyber security analysts build alerting rules on top of those logs and telemetry to notify of malicious or suspicious activity.
This can be incredibly challenging, considering the sheer threshold of data moving in and out of your company and the number of tools used to address specific problems.
Quick answer: How Many Tools do SOCs Have?
A 2017 study surveying professionals found that most respondents run over 25 cybersecurity tools.
Think about it, say you have 500 employees, each with their laptops. Each of those laptops likely has an endpoint detection and response (EDR) agent installed and some old-school anti-virus agent.
You’ll likely have multiple firewalls logging all network communication. All those servers within each segmented network must forward their logs for monitoring.
Then, there are your load balancers on the perimeter and some web application firewalls (WAF). Don’t forget those VPN gateways to let those outside connect to your network.
Man, this is tiring. We could go on for hours, but we’ll stop there.
Since these systems can be vulnerable to attacks and exploitation, SIEMs must correlate their logs against certain conditions or threat intelligence to create alerts that analysts can respond to and investigate for suspicious or malicious activity.
SIEMs work excellently for this!
What are the Best SIEM Tools?
There are dozens of SIEMs out there. But only a few stand out from what we’ve seen in the field.
Without a doubt, Splunk is the most popular and versatile SIEM. We wrote an in-depth guide covering Splunk here.
With a large active community, Splunk has extensive documentation, support, and shared knowledge bases.
Splunk’s data models, used to create detection rules and searches compatible with dozens of unique log sources, make your life as an engineer tuning and configuring the platform incredibly modern and seamless.
QRadar is one of the oldest SIEMs that remains a popular choice for large enterprises. A lot of deployment time is needed to onboard QRadar, but once it’s complete, the tool shines.
Instead of data models, QRadar has a DSM editor to parse log sources into reusable properties that detection rules can alert on.
We’ve also written a light guide on QRadar, which explains many of the fundamentals you can use to determine if it’s the right fit for your security team.
Last but not least is Microsoft Sentinel. This tool shines not only as an SIEM but also as a SOAR and a TIP. The SOAR capability is unlocked via Microsoft Sentinel’s Logic Apps, and its TIP is opened via the Threat Intelligence page.
Considering the likelihood you possess other Microsoft tools, such as O365 or Windows Defender, Microsoft probably asked you for a Sentinel demo.
Kusco Query Language is how you’ll interact with your logs. It’s similar to SPL (Splunk’s query language).
Next-Gen SIEM or UEBA?
Although a relatively traditional cyber security tool, SIEMs have recently adopted the new ‘Nextgen-SIEMs.’ The main improvements prompting this update are mainly driven by the progress and ability to:
- Capture, store, analyze, search, and deal with extensive complex data sets that traditional SIEMs couldn’t.
- Added machine learning to process and learn from data.
- Utilize UBA: User Behavior Analytics to detect abnormal patterns in user activity.
Now I know what you’re thinking. You’re probably asking yourself, “Isn’t this just a UBA tool? And truthfully, yeah, it seems that way.
The limiting factor is that SIEMs can capture and store the large, new, complex datasets that machine learning requires to be helpful.
Plain UEBA tools typically require SIEMs to forward logs to them for processing and to learn from, but not for archiving purposes.
It can take many months for a UEBA tool to process enough logs to catch up to real-time. There are no immediate results when tuning UEBA rules.
UEBA and traditional SIEMs complement one another. Next-gen SIEMs have UEBA built into them.
Why are SIEM’s Useful?
You’re probably used to jumping between multiple tools. Or you have heard that SIEMs are replaceable with other security tools. We know what you’re feeling and thinking. We’ve been there.
Your thoughts are somewhere along the lines of:
“These modern tools do the correlation for you.”
“We can respond to alerts in their native platforms”
“I don’t mind jumping between tools”
But the truth is that SIEMs take a little more time and effort to set up and run. They aren’t a tool you can turn on overnight and notice results, but once you have a good amount of log sources feeding it and some correlation rules built out, you’re on your way to running a lean SIEM.
It should collect, aggregate, and correlate logs. Still, it’s standard industry practice to forward existing alerts from other tools like your EDR to allow your analysts to work out of a single pane of glass.
They don’t want to jump between several security tools to investigate a single incident. With every log and alert from your other devices flowing into your central system, your analysts can, for the most part, perform threat hunting in one portal. Depending on the type of SIEM and its querying language, the analysts can sift through all their logs within one system.