To start off, SIEM stands for Security Information and Event Management.
So: what does a SIEM do exactly?
SIEM’s are typically used in larger enterprises to collect enormous amounts of logs and telemetry from workstations, servers, firewalls, vulnerability scanners, etc.… You get the point. Cyber security analysts build alerting rules on top of those logs and telemetry to notify on malicious or suspicious activity.
This is be incredibly challenging considering the sheer threshold of data moving in and out of your company and the number of tools used to address specific problems.
Quick answer: How Many Tools do SOCs Have?
A 2017 study surveying professionals found most respondents are running more than 25 cybersecurity tools.
Think about it, say you have 500 employees, each with their own laptops. Each of those laptops likely have an endpoint detection and response (EDR) agent installed and perhaps some old school anti-virus agent.
You’ll likely have multiple firewalls logging all network communication. All those servers within each segmented network must forward their logs for monitoring.
Then there’re your load balancers on the perimeter and some web application firewalls (WAF). Don’t forget about those VPN gateways to let those outside connect to your network.
Man, this is tiring. We could go on for hours, but we’ll stop there.
Since all of these systems can be vulnerable to attacks and exploited, their logs need to be correlated against certain conditions or threat intelligence to create alerts that analysts can respond to and investigate for suspicious or malicious activity.
Turns out, SIEM’s work REALLY well for this!
Next-Gen SIEM or UEBA?
Although being a relatively traditional cyber security tool, SIEMs have been recently taking on the new name of ‘Nextgen-SIEMs’. The main improvements prompting this update are mainly driven by the improvements and ability to:
- Capture, store, analyze, search and deal with large complex data sets that traditional SIEMs couldn’t
- Added machine learning to process and learn from data
- Utilize UBA: User Behavior Analytics to detect abnormal patterns in user activity
Now I know what you’re thinking. You’re probably asking yourself “isn’t this just a UBA tool? And truthfully, yeah it seems that way. The limiting factor is that SIEMs are able to capture and store the large new complex datasets that machine learning requires to be useful. Plain UEBA tools typically require SIEMs to forward logs to them for processing and to learn from but not for archiving purposes. It can take many months for a UEBA tool to process enough logs to catch up to real time as well.
UEBA and traditional SIEMs compliment one another. Next-Gen SIEM’s have UEBA built into them.
Why are SIEM’s Useful?
We know you’re probably used to jumping between multiple tools. Or have heard that SIEMs are replaceable with other tools. We know what you’re feeling and thinking. We’ve been there.
Your thoughts are somewhere along the lines of:
“These modern tools do the correlation for you”
“We can respond to alerts in their native platforms”
“I don’t mind jumping between tools”
But the truth is: SIEM’s just take a little more time and effort to set up and get running. They aren’t a tool you can just turn on overnight and notice results but once you have a good amount of log sources feeding it and some correlation rules built out, you’re on your way to running a lean SIEM.
Not only does should it collect, aggregate, and correlate logs, but it’s common industry practice to forward it already existing alerts from other tools like your EDR to allow your analysts to work out of ‘a single pane of glass’.
They don’t want to be jumping in between several security tools to investigate a single incident. With every log and alert from your other tools flowing into your central system, your analysts can for the most part perform threat hunting in one portal. Depending on the type of SIEM and it’s querying language, the analysts can sift through all their logs within one system.