twobee - Fotolia
A comprehensive guide to SIEM products
Expert Karen Scarfone examines security information and event management systems and explains why SIEM systems and SIEM products are crucial for enterprise security.
Security information and event management systems provide centralized logging capabilities for enterprises, and security pros use SIEM products to analyze and report on the log entries it receives. Some SIEM systems, which can be either products or services, can stop certain attacks via specific configurations, generally by directing the reconfiguration of other enterprise security controls.
Traditionally, most organizations that have deployed SIEM systems have used them either for security compliance efforts or for incident response, detection and handling. But, increasingly, organizations are using SIEMs for both purposes. This increases the SIEM technology's potential value to the organization, but, unfortunately, it tends to complicate configuration and management.
Many of the SIEM products and managed SIEM services available today meet the needs of a wide variety of organizations. Taking every characteristic of every one of them into account is not feasible, so this article focuses on the features of the most widely used SIEM products and systems.
The architecture of SIEM products and services
SIEM systems are available for several architectures, including software installed on an on-premises server, on-premises hardware appliance, on-premises virtual appliance or public cloud-based service.
SIEM systems and products serve two purposes: providing centralized security logging and reporting for an organization and aiding in the detection, analysis and mitigation of security incidents. Each of these SIEM architectures has its own advantages and disadvantages, and no architecture is generally superior to the others.
Another important aspect of SIEM architecture is how it transfers log data from each log source. There are two basic approaches: agent-based and agentless. Agent-based means an installed software agent is installed on each host that generates logs, and this agent is responsible for extracting, processing and transmitting the data to the SIEM server.
Agentless means the log data transfer happens without an agent; the log-generating host may directly transmit its logs to the SIEM or there could be an intermediate logging server involved, such as a syslog server. Most SIEM products offer agent-based and agentless log transfers to accommodate the widest possible range of log sources and long-term storage.
Using extensive research into the SIEM market, TechTarget editors focused on the vendors that lead in market share, plus those that offer traditional and advanced functionality. Our research included data from TechTarget surveys, as well as reports from other respected research firms, including Gartner.
Typical environments suitable for SIEM systems
Early SIEM services and products had a reputation as being intended for large organizations with advanced security capabilities. The main motivation behind these deployments was to duplicate network security logs in a centralized location so the security administrators and analysts could view all the logs in a single console, as well as to potentially correlate events across log sources in support of incident detection and real-time response efforts.
Since that time, SIEM systems have evolved to become a core security component for nearly every organization. As the number of sources of security log entries has grown, so has the need to view, analyze and report on the security events covered by those log entries from a single console.
Even small and medium-sized organizations typically need a SIEM tool for compliance purposes -- to automatically generate reports that provide evidence of the organization's adherence to various compliance requirements.
The costs of adopting, deploying and managing SIEM systems
SIEM implementation costs vary widely depending on two main factors: the robustness of the SIEM's capabilities and the selected deployment architecture.
In terms of robustness, some SIEMs offer a light solution that provides basic log management and reporting capabilities without the advanced analysis techniques and other features that other SIEMs support. These light options are considerably less expensive to acquire.
The deployment architecture also has obvious cost implications for SIEM adoption. Most SIEMs require the purchase of hardware or software, while usage fees determine the costs of cloud-based SIEM services.
In addition to acquiring a SIEM product, organizations may have other upfront costs. For example, SIEM systems increasingly support the use of threat intelligence feeds, which contain up-to-date information on threat indicators organizations observe around the world. Threat intelligence feeds can significantly improve the accuracy of a SIEM's incident detection capabilities, but using such a feed generally necessitates paying a substantial subscription fee.
SIEM implementation and deployment costs are generally similar to other major security tool deployments, with one notable exception: integration. A SIEM service is of no value unless it can readily receive and parse log data from a wide variety of security log sources. Enabling this can necessitate extensive SIEM customization or development of custom code to translate a source's log data into a format that the SIEM can understand and process.
Another SIEM cost consideration is management. Most organizations seriously underestimate the management costs associated with a successful SIEM implementation, particularly if it's intended for incident detection and handling purposes. In this case, the SIEM will need frequent tuning and customization, not to mention constant monitoring so companies can validate and respond to incidents quickly to limit the damage.
Why SIEM?
SIEM products and services serve two purposes: providing centralized security logging and reporting for an organization and aiding in the detection, analysis and mitigation of security events. SIEM technology is available in several architectures.
Today's SIEM offerings are invaluable to organizations of nearly every size, if for no other reason than because they centralize and automate aspects of security compliance reporting.
Organizations considering acquiring a SIEM product should carefully consider the deployment and management costs. Because the SIEM ingests security log data from a wide variety of sources, there may be considerable integration costs to facilitate that transfer and the translation of the log data. Companies usually underestimate SIEM management costs, and, like many technologies, an organization gets value out of a SIEM comparable to the effort that it puts into its configuration, monitoring and other management aspects.