SIEM: Security Information and Event Management

Security Information and Event Management (SIEM) systems collect, analyze, and correlate security logs from across your infrastructure to detect threats in real time.

How SIEM Works

SIEM aggregates logs from multiple sources: servers, network devices, firewalls, endpoints, cloud services, and applications. Normalization converts logs into a common format. Correlation rules identify patterns that indicate security incidents.

A single failed login is normal. 100 failed logins from different IPs in 5 minutes is a brute force attack. SIEM correlation rules detect these patterns across millions of log events. Alerting notifies security teams of confirmed incidents.

Key Features

Log collection and aggregation from any data source. Real-time correlation with customizable rules. User and entity behavior analytics (UEBA) establish baselines and detect anomalies. Compliance reporting for PCI-DSS, HIPAA, SOC 2, and GDPR requirements.

Threat intelligence feeds enrich logs with known malicious indicators. Incident response automation (SOAR) triggers playbooks for common incidents. Case management tracks investigations from detection to resolution. Dashboards visualize security posture.

Deployment

On-premises SIEM (Splunk Enterprise, Elastic Security) gives full control over data. Data never leaves your network. Requires significant infrastructure and administration. Best for organizations with strict data residency requirements or existing Elastic/Splunk investments.

Cloud SIEM (Splunk Cloud, Microsoft Sentinel, Sumo Logic) reduces operational overhead. Scale on demand with pay-as-you-go pricing. Microsoft Sentinel integrates deeply with Azure and Microsoft 365. Cloud SIEM simplifies data ingestion but requires trust in the provider's data handling.

Open source SIEM (Wazuh, Security Onion) provides SIEM capabilities without licensing costs. Wazuh combines log analysis, intrusion detection, and compliance monitoring. Security Onion bundles Elastic Security, Kibana, and network security monitoring tools.

Log Sources

Critical log sources include: authentication logs (AD, SSO, VPN), firewall logs (allow/deny), web proxy logs (URL filtering), DNS logs (domain queries), cloud audit logs (AWS CloudTrail, Azure Activity Log), database audit logs, and endpoint detection logs.

Prioritize log sources based on risk. Start with perimeter devices and authentication systems. Expand to application and database logs. Cloud environments can enable audit logging globally within minutes.

Correlation Rules

Design correlation rules for specific threat scenarios. Example: "10 failed logins from same IP in 5 minutes" alerts on brute force. "New admin user created outside business hours" detects unauthorized privilege escalation. "Data export exceeding baseline" identifies data exfiltration.

Tune rules to reduce false positives. Start with broad rules and narrow them based on operational experience. Document rule logic and response procedures. Review and update rules as your infrastructure and threat landscape evolve.