Security Information and Event Management (SIEM)

What is SIEM?

Security Information and Event Management (SIEM) is a tool that organizations can use to help automate real-time detection and response to potential threats.

How does SIEM work?

SIEM works by gathering logs from multiple sources (i.e. firewalls, switches, servers, endpoints, etc.) into a centralized location. The SIEM ingests the log data and conducts automated analysis, correlation, and reporting. This takes the burden away from System Administrators of having to manually sort through thousands of event log entries on multiple systems.

What are the benefits of using SIEM?

Some key benefits of incorporating a SIEM solution for your organization include:

• 24×7 Threat Detection and Alerting
• Centralized Data Logging and Monitoring
• Compliance
• Data Retention and Storage
• Real-Time Alerting and Incident Response

SIEM Use Cases 

• Company ABC receives an automated alert from their SIEM that a user has logged into their email successfully from another country. After reaching out to the user, the IT team confirms that this was not an approved login. The IT team was quickly able to respond to the incident and remove the threat actor’s access to the compromised email to prevent any further damage.
• Your organization configures the SIEM tool to send automated alerts when a user accesses sensitive employee data stored on a file server. The IT team receives multiple alerts that a user has accessed data on the server that contains other employee’s social security numbers. The IT team was able to respond to the event and remove the user’s access, as well as provide management detail of what information the user was able to view successfully. In addition, this event prompts the IT team to perform a full audit of user access and was able to find that multiple other users had access to the data that they were not supposed to.