Prior to 2005, there used to be quite a debate over Security Information Management (SIM) and Security Event Management (SEM). This debate was ended for once and all by Amrit Williams and Mark Nicollet of Gartner when they defined SIEM – Security Information Event Management in 2005.
As defined by Williams and Nicollet, an SIEM solution shall –
- Be capable of analysing, gathering, and presenting information after collecting it from the network and connected security devices,
- Have identity and access-management applications,
- Have tools for vulnerability management and policy compliance,
- Consist of the operating system, application logs & database, and
- External threat data.
Breaking down the above-given definition between SIM and SEM, SIM specifically deals with the storage, analysis, and reporting of log data. It collects data from various security devices and the network. On the other hand, SEM processes data in real-time to monitor, correlate, and notify security events that are generated on a regular basis.
Brief History and Traditional Systems
SIEM solutions were introduced somewhere around 2000 in the form of either an SIM solution or an SEM solution. The systems during this initial phase from 2000 to 2005 provided basic log aggregation across different system types along with basic event correlation techniques. These systems relied only on known threat attacks to detect an attack. Hence, they were completely unable to deal with zero-day attacks on an organization’s systems. Other limitations of systems during this period included –
- The initial systems were designed on the basis of IP Addresses, instead of users. With the dynamic allotment of IP Addresses and rapid increase in the number of mobile devices, correlating a device by its IP Address is effectively useless for a business as a single IP Address gets allotted to multiple devices in a day.
- Traditional systems used rule-based methods to establish a correlation between various security events. Hence, updating hundreds of rules in real-time does not only consume time but it also results in the improper utilisation of resources.
- Since rule-based event correlation system is in place, they tend to generate a large number of false-positive events.
- Overwhelmed by the number of false positives thus generated, true positive events might be ignored by the analysts. Moreover, a rule-based approach is a backwards-looking approach e. a situation occurs and then rules to prevent the same situation from happening again are created.
In addition, other factors that played a pertinent role in the inefficiency of these systems included underestimation of costs, non-familiarization with infrastructure requirements, and limitations of relational databases.
Evolution of SIEM & Present-day Systems
SIEMs were initially developed because of the inability of the IT department of an organization to deal with a large number of alerts generated by IDS and IPS. As we saw in the last section, it went on to include log management capabilities by aggregating information from firewalls and other devices along with assuming the role of an information platform over the course of next ten years.
Along with the addition of traditional information security techniques, SIEMs have gone onto including advanced techniques such as User Behaviour Analytics and Deep Packet Inspection. User Behaviour Analytics, or UBA, focusses on analysing user-oriented user data and user credentials. The algorithms used in UBA are based on machine learning and hence work on the predictive model. Machine learning algorithms have increased the efficiency of SIEMs by replacing rule-based algorithms. Many vendors have developed UBA tools to complement traditional SIEM systems while vendors developing new SIEM tools are including SIEM as an inbuilt tool.
Deep Packet Inspection is an application of UBA by analysing data at packet-level for the articulation of user behaviour. This articulation is not only limited to a single computer but includes mobile phones and tablets as well.
Clearly, SIEM solutions have moved on from using rule-based approach and are now using artificial intelligence to reach the highest level of security. As a business owner or someone looking after an organization’s security, you must take a note that an SIEM system is as good as people managing it. Even though present-day SIEMs are AI-based, they still need human interaction for implementation, monitoring and taking proper action against the generated alerts.
In addition, feel free to request a demo of LogSign to see how a present-day SIEM tool works.