Go to any legitimate online news site and you’ll find stories about cybersecurity threats, from ransomware to Facebook hacks. Go to any major industry conference and you’ll find sessions on cybersecurity headlining the agenda. This isn’t hype.
The threats are real. The risk is real. And the likelihood of a data breach increases every day. That’s why smart organizations are searching for ways to proactively prevent security threats instead of reacting to them after serious damage has been done.
The shift from a reactive to proactive security posture has led to an increase in spending on security information and event management (SIEM) solutions. In fact, Gartner expects the SIEM market to more than double from $2.167 billion in 2016 to nearly $6 billion in 2021.
SIEM brings together security information management, security event management, security event correlation, and log management into a single solution. The job of SIEM is to correlate security-related data from a variety of sources, such as end-user devices and servers, as well as firewalls, intrusion prevention systems, antivirus software and other security tools. Analysis of this data makes it possible to automatically identify abnormal activity, issue an alert, and remediate the threat. Security analysts can then view all log data from a single management interface to investigate and prioritize security incidents and weed out false positives.
SIEM succeeds by looking at the bigger security picture and showing you what’s happening in your IT environment in a way that single-purpose security solutions cannot. For example, an endpoint security solution can see files, usernames and hosts, but it can’t see applications and business processes like an asset management system can. Similarly, an intrusion detection system can understand packets and protocols, but a file integrity monitoring system is only capable of detecting changes in files and registry settings.
SIEM collects data from disparate security systems and information sources so the data can be analyzed from a single interface. SIEM isn’t necessarily a security tool on its own, but rather a management platform that makes the rest of your security tools more effective. This allows security analysts to make better, faster decisions about suspicious activity and take appropriate action based on the level of risk.
Of course, implementing and managing SIEM is no small task. Security managers and system administrators have to program the routing of data from a wide range of sources so that it can be properly aggregated, normalized and correlated. Outside consultants might be needed to assist. As a result, SIEM deployment can be a lengthy, complex proposition. If the SIEM system is not set up properly, organizations can be overwhelmed with alerts that aren’t serious, and most organizations don’t have the in-house expertise to separate serious threats from noise and fine-tune the system.