Imagine configuring and securing a network blindfolded. Safe to say, that's just shy of a completely impossible task.
But when IT administrators don't have a comprehensive view of the network, they are essentially doing just that. That lack of visibility, or those "dark spots" in the network, can create a subterfuge for security threats to gain entry and fly under the radar. In short, the old adage, "You can't secure what you can't see," still applies.
Those critical visibility issues are what Security Information and Event Management (SIEM) solutions aim to address. At its core, SIEM is designed to provide a holistic view of an organization's entire IT security environment. Among other things, SIEM offers the ability to aggregate, view, analyze and ultimately take action on data from a plethora of sources, housed in multiple locations, and all from a single pane of glass. That single-pane dashboard then enables IT administrators to analyze patterns of behavior and detect anomalies that, in turn, give organizations the ability to make actionable and well-informed business decisions.
SIEM essentially is the amalgam of two separate products - Security Information Management and Security Event Management - that are combined into a single unified solution. The information management systems, or SIMs, are designed to log data and other security information from a multitude of end user devices, servers and security infrastructure, which are then aggregated in a centralized management console. The security event management portion, or SEM, then leverages event correlation and alerting capabilities to flag any aberrations or suspicious behavior.
What gives SIEM its value, however, is not simply the ability to aggregate and inspect raw data. An enterprise grade SIEM solution will also contain a wide array of tools for organizations to correlate data, create policies, decipher trends and conduct other kinds of granular analysis based on their own security rules and policies.
Historically, SIEM never achieved the same widespread awareness or popularity as other security technologies. However the solution has grown significantly in the market, thanks in part to an explosion of high profile data breaches that have graced headlines, not to mention a wave of Advanced Persistent Threats that leverage intelligence to evade many standard security systems. In addition, a groundswell of compliance regulations, now routinely enforced with stiff fines, loss of privileges and other penalties, are also compelling increased adoption of SIEM solutions.
So with numerous solutions on the market that tout myriad features, what should enterprise organizations look for in a SIEM solution?
The answer is, it depends. Naturally, the specific needs of an enterprise (i.e. size, industry, customer needs, compliance regulations, etc.) will determine the kind of features required in a SIEM solution. But there are several key ingredients that almost all organizations will want to consider:
Effective Log Collection:
Logs need to be collected across the entirety of the IT environment (network security appliances, servers, databases, etc.) and correlated in real-time in order to detect zero-day threats and other suspicious behavior. Effective log collection also entails the ability to quickly and easily gain access to historical log data, ideally including the ability to drill down into raw log data.
Effective Event Correlation:
A SIEM solution should allow security administrators to easily and effectively conduct multiple correlation events simultaneously and transform them into actionable data and information leveraged for incident response.
Comprehensive Event Forensics and Analytics:
Being able to accurately process and analyze information around a possible or pending threat is crucial to the security of an organization's data. Among other things, a SIEM solution should allow network administrators to peruse data and link events, identify and isolate the root cause of a threat or suspicious activity, and conduct comprehensive forensic analysis to determine what happened before, during or after the incident.
Customizable Reporting Capabilities:
Every organization is different, with vastly different reporting, auditing and compliance needs. Organizations should be able to easily define and tailor SIEM reports at their discretion and to their exact specifications.
The SIEM solution should have the ability to send alerts in real-time about zero day attacks, traffic-spikes, network aberrations and threats for more accurate threat identification and quicker response times.