Having been in the SIEM world for a month now, I am slowly gaining more understanding of some of the most complex technologies than I have ever come across.
My background is not technical. The closest I have been to such terminology is my partner talking about his day at work. I know I’m short in height, but the dinner table topic almost always went over my head.
Since starting with Titan, I have embraced the technical jargon world I have entered and thought I would take this opportunity to explain SIEM in a way that even someone like me could understand.
In the technological world we live in it’s no surprise that security threats are rapidly on the rise, quicker than I could eat a bar of chocolate! What did surprise me was the fact it’s not always the bad guys on the outside trying to get in that are the problem. Internal employees in companies who either misconfigure or incorrectly set up security settings leave their data open to attack. With more people working from home during 2020/2021 due to the Covid-19 pandemic, this has only added to the ever-growing problem.
To understand SIEM and what it does, I found understanding the history of how it has evolved into what it is today helpful. The first commercial ‘SIEM’ was introduced around 20 years ago when Gartner merged Security event management (SEM) and Security information management (SIM) into what we now know as SIEM.
Prior to 2005, it was a very basic rule-based approach which relied on known attacks however as the threats became more complex and more false positives were being generated, this obviously wasn’t going to work and SIEM had to evolve to cater for these new threats by introducing new tactics for detection such as integrating threat intelligence feeds.
Security information and event management is a software solution that collects, normalises and analyses event logs from across an organisations environment and aims to detects threats in near real-time based on predefined rules.
What is normalisation? It’s a process of turning a disorganised set of information into something that can be easily and readily used by the solution. An example might be organising your paperwork from a pile of mixed-up documents into individual folders for finance, cars and personal.
When a certain set of actions defined in these rules is met then an alert, or correlation will be raised and, in most cases, an analyst will pick this up and begin the process of investigating.
A handy image of how this works is below:
SIEM benefits customers by giving them a place to centralise and aggregate their event data from their individual solutions and then perform threat detection on it. This avoids the common issues of having to manage multiple different event feeds from different device, each usually having different portals to log in to.
At Titan Labs, we have worked with governments and global organisations to deploy, enhance and improve their SIEM solution to ensure that they are not only achieving maximum value from their investment, but also thwarting attackers in the process.