SIEM or Security Information and Event Management has been mentioned a few times in the earlier sections and is gaining tremendous traction in security monitoring as the central intelligence of security operations. The primary benefit of SIEM is the ability to assimilate security and log data from disparate systems, analyze it all, and provide correlated output to security analysts.

Up to this point, disparate systems and their unique monitoring capabilities have been discussed, but those are all single intelligence, incomplete views of the complete flow of traffic as it traverses a network. A firewall, for instance, only inspects what is coming and going at the edge of the network, but has no cognizance of actions taken on a system for traffic permitted by policy. The SIEM solution (provided all logs are forwarded to it) will have a complete view of not only the permitted firewall traffic, if logged, but also what actions were taken on the target system; so a whole picture of a transaction is understood as data is collected at each point along the way.

At the center of SIEM is the correlation engine; this is the distinct component of the solution that ties all seemingly disparate events into an incident using proprietary algorithms and analysis of log data. This in conjunction with added features such as known botnet IP addresses, ability to import vulnerability data, and parse log data from several sources, positions the SIEM as the central single-pane view and authority on security events and incidents.

Not all SIEM solutions are created equal; evaluation of several solutions for the specific environment to be implemented is a wise approach as these solutions come at a price. Value must be driven from the solution, to warrant the expense. As with all solutions, there must be supporting processes in place for management, day-to-day operations, and remediation of incidents. A joint evaluation by all teams that will use the solution and will build the supporting infrastructure is recommended at the beginning of product evaluation. This will also help in the adoption of the new technology and responsibility required by such an implementation. There can and should be multiple roles configured in the solution to allow other teams outside of security to manage their logs, investigate incidents, and manage reporting.

Because the SIEM will receive data from multiple sources, the security team may manage security incidents; but it will take the collaboration and cooperation of other teams in the enterprise to have a successful and effective implementation. SIEM can be the central logging solution in the enterprise and most have the ability to also provide canned reporting for regulatory compliance and other security standards. The security team can provide the solution as a service and help the other teams with investigations and reporting, aiding in the cohesive environment for SIEM to thrive. It should be noted that the SIEM will only be as good as the data forwarded to it and those taking action on what it provides in the form of actionable security incidents.

Managing a SIEM can be a significant undertaking for the typical, undersized security team; and a managed solution may also be considered. There are managed security service providers (MSSPs) that offer complete management or co-management of enterprise SIEM solutions. A benefit to this type of implementation is that the heavy lifting is done by the MSSP, and only items that require action are sent via alerting mechanisms to the security staff and others required for remediation. This implementation type should be strongly considered if security operations are not performed well or are not a focus in the organization and benefit can be realized by focusing the security team on more pressing tasks such as architecture, engineering, and project engagement.

SIEM is a must have for the ever-evolving and complex nature of security operations. It is fast becoming a difficult task to set eyes on all the security technology being deployed to thwart the increasing threats to the enterprise. At a minimum, a centralized logging solution must be deployed with the ability to alert security personnel of malicious or anomalous traffic detected by deployed security technologies.