Basics of SIEM

Basics of SIEM

SIEM or System Information and Event Management is a system that is vastly used in security incident response and management.

Generally, the device is integrated multiple devices and collects events or logs from the system for analysis to detect any threats. 

Now a days its widely used at Security Operation Centre (SOC) for the security threat monitoring. It enables faster response to the threats.

A SIEM device pulls the logs from below kind of devices;

• Routers
• Switches
• Servers
• Web filters
• Firewalls
• Unified Threat Management (UTM)
• End point Security 
• Intrusion Prevention System (IPS)
• Intrusion Detection System (IDS)

The capacity of modern SIEM is defined by EPS (Events per second) analysis capacity. Minimum 10,000 EPS or more can be better implementation strategy. Now a days it became a critical device for corporate to small and medium industry.

SIEM device looks at both event data and contextual data from device logs for analysis, reports. In a systematic approach, it normalizes, aggregates, correlates and analyses the logs received from each device. The SIEM analyst or Security analyst can effectively respond to the security incidents based on the results. It helps in tracking and reporting the security compliance efficiently. The primary feature of SIEM is threat detection, investigation and respond to the threats. 

As well other features and functionality including:

• Advanced analytics
• Automation
• Policy management
• Threat management
• Incident prioritization and management
• Normalization
• Basic security monitoring
• Advanced threat detection
• Forensics & incident response
• Threat response workflow
• Log collection
• Notifications and alerts 
• Security incident detection
• Real time threat detection
• Scalable and centralized solution

SIEM tool OEMs in the market are as Splunk, IBM QRadar, LogRhythm, HP Arcsight etc.

-DR