Security information and event management

Last updated

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. [1] [2] SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. [3] SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

Contents

SIEM tools can be implemented as software, hardware, or managed services. [4] SIEM systems log security events and generating reports to meet regulatory frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). The integration of SIM and SEM within SIEM provides organizations with a centralized approach for monitoring security events and responding to threats in real-time.

First introduced by Gartner analysts Mark Nicolett and Amrit Williams in 2005, the term SIEM has evolved to incorporate advanced features such as threat intelligence and behavioral analytics, which allow SIEM solutions to manage complex cybersecurity threats, including zero-day vulnerabilities and polymorphic malware.

In recent years, SIEM has become increasingly incorporated into national cybersecurity initiatives. For instance, Executive Order 14028 signed in 2021 by U.S. President Joseph Biden mandates the use of SIEM technologies to improve incident detection and reporting in federal systems. Compliance with these mandates is further reinforced by frameworks such as NIST SP 800-92, which outlines best practices for managing computer security logs. [2]

History

Initially, system logging was primarily used for troubleshooting and debugging. However, as operating systems and networks have grown more complex, so has the generation of system logs. The monitoring of system logs has also become increasingly common due to the rise of sophisticated cyberattacks and the need for compliance with regulatory frameworks, which mandate logging security controls within risk management frameworks (RMF).

Starting in the late 1970s, working groups began establishing criteria for managing auditing and monitoring programs, laying the groundwork for modern cybersecurity practices, such as insider threat detection and incident response. A key publication during this period was NIST’s Special Publication 500-19. [5]

In 2005, the term "SIEM" (Security Information and Event Management) was introduced by Gartner analysts Mark Nicolett and Amrit Williams. SIEM systems provide a single interface for gathering security data from information systems and presenting it as actionable intelligence. [6] The National Institute of Standards and Technology provides the following definition of SIEM: "Application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface." [2]  In addition, NIST has designed and implemented a federally mandated RMF.

With the implementation of RMFs globally, auditing and monitoring have become central to information assurance and security. Cybersecurity professionals now rely on logging data to perform real-time security functions, driven by governance models that incorporate these processes into analytical tasks. As information assurance matured in the late 1990s and into the 2000s, the need to centralize system logs became apparent. Centralized log management allows for easier oversight and coordination across networked systems.

On May 17, 2021, U.S. President Joseph Biden signed Executive Order 14028, "Improving the Nation's Cybersecurity," which established further logging requirements, including audit logging and endpoint protection, to enhance incident response capabilities. [7] This order was a response to an increase in ransomware attacks targeting critical infrastructure. By reinforcing information assurance controls within RMFs, the order aimed to drive compliance and secure funding for cybersecurity initiatives.

Information assurance

Published in September 2006, the NIST SP 800-92 Guide to Computer Security Log Management serves as a key document within the NIST Risk Management Framework to guide what should be auditable. As indicated by the absence of the term "SIEM", the document was released before the widespread adoption of SIEM technologies. [8] [9] Although the guide is not exhaustive due to rapid changes in technology since its publication, it remains relevant by anticipating industry growth. NIST is not the only source of guidance on regulatory mechanisms for auditing and monitoring, and many organizations are encouraged to adopt SIEM solutions rather than relying solely on host-based checks.

Several regulations and standards reference NIST’s logging guidance, including the Federal Information Security Management Act (FISMA), [10] Gramm-Leach-Bliley Act (GLBA), [11] Health Insurance Portability and Accountability Act (HIPAA), [12] Sarbanes-Oxley Act (SOX) of 2002, [13] Payment Card Industry Data Security Standard (PCI DSS), [14] and ISO 27001. [15] Public and private organizations frequently reference NIST documents in their security policies.

NIST SP 800-53 AU-2 Event Monitoring is a key security control that supports system auditing and ensures continuous monitoring for information assurance and cybersecurity operations. SIEM solutions are typically employed as central tools for these efforts. Federal systems categorized based on their impact on confidentiality, integrity, and availability (CIA) have five specific logging requirements (AU-2 a-e) that must be met. [16] While logging every action is possible, it is generally not recommended due to the volume of logs and the need for actionable security data. AU-2 provides a foundation for organizations to build a logging strategy that aligns with other controls.

NIST SP 800-53 SI-4 System Monitoring outlines the requirements for monitoring systems, including detecting unauthorized access and tracking anomalies, malware, and potential attacks. This security control specifies both the hardware and software requirements for detecting suspicious activities. [17] Similarly, NIST SP 800-53 RA-10 Threat Hunting, added in Revision 5, emphasizes proactive network defense by identifying threats that evade traditional controls. SIEM solutions play a critical role in aggregating security information for threat hunting teams. [18]

Together, AU-2, SI-4, and RA-10 demonstrate how NIST controls integrate into a comprehensive security strategy. These controls, supported by SIEM solutions, help ensure continuous monitoring, risk assessments, and in-depth defense mechanisms across federal and private networks. [18]

Terminology

The acronyms SEM, SIM and SIEM have sometimes been used interchangeably, [19] but generally refer to the different primary focus of products:

In practice many products in this area will have a mix of these functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. [21] Oftentimes commercial vendors provide different combinations of these functionalities which tend to improve SIEM overall. Log management alone doesn't provide real-time insights on network security, SEM on its own won't provide complete data for deep threat analysis. When SEM and log management are combined, more information is available for SIEM to monitor.

A key focus is to monitor and help manage user and service privileges, directory services and other[ clarification needed ] system-configuration changes; as well as providing log auditing and review and incident response. [20]

Capabilities

Components

Basic SIEM Infrastructure Basic SIEM Infrastructure.png
Basic SIEM Infrastructure

SIEM architectures may vary by vendor; however, generally, essential components comprise the SIEM engine. The essential components of a SIEM are as follows: [25]

A basic SIEM infrastructure is depicted in the image to the right.

Use cases

Computer security researcher Chris Kubecka identified the following SIEM use cases, presented at the hacking conference 28C3 (Chaos Communication Congress). [30]

Correlation rules examples

SIEM systems can have hundreds and thousands of correlation rules. Some of these are simple, and some are more complex. Once a correlation rule is triggered the system can take appropriate steps to mitigate a cyber attack. Usually, this includes sending a notification to a user and then possibly limiting or even shutting down the system.

Brute Force Detection

Brute force detection is relatively straightforward. Brute forcing relates to continually trying to guess a variable. It most commonly refers to someone trying to constantly guess your password - either manually or with a tool. However, it can refer to trying to guess URLs or important file locations on your system.

An automated brute force is easy to detect as someone trying to enter their password 60 times in a minute is impossible.

Impossible Travel

When a user logs in to a system, generally speaking, it creates a timestamp of the event. Alongside the time, the system may often record other useful information such as the device used, physical location, IP address, incorrect login attempts, etc. The more data is collected the more use can be gathered from it. For impossible travel, the system looks at the current and last login date/time and the difference between the recorded distances. If it deems it's not possible for this to happen, for example traveling hundreds of miles within a minute, then it will set off a warning.

Many employees and users are now using VPN services which may obscure physical location. This should be taken into consideration when setting up such a rule.

Excessive File Copying

The average user does not typically copy or move files on the system repeatedly. Thus, any excessive file copying on a system could be attributed to an attacker wanting to cause harm to an organization. Unfortunately, it's not as simple as stating someone has gained access to your network illegally and wants to steal confidential information. It could also be an employee looking to sell company information, or they could just want to take home some files for the weekend.

DDoS Attack

A DDoS (Distributed Denial of Service) Attack could cause significant damage to a company or organization. A DDoS attack can not only take a website offline, it can also make a system weaker. With suitable correlation rules in place, a SIEM should trigger an alert at the start of the attack so that the company can take the necessary precautionary measures to protect vital systems.

File Integrity Change

File Integrity and Change Monitoring (FIM) is the process of monitoring the files on your system. Unexpected changes in your system files will trigger an alert as it's a likely indication of a cyber attack.

Alerting examples

Some examples of customized rules to alert on event conditions involve user authentication rules, attacks detected and infections detected. [31]

RuleGoalTriggerEvent Sources
Repeat Attack-Login SourceEarly warning for brute force attacks, password guessing, and misconfigured applications.Alert on 3 or more failed logins in 1 minute from a single host.Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications.
Repeat Attack-FirewallEarly warning for scans, worm propagation, etc.Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute.Firewalls, Routers and Switches.
Repeat Attack-Network Intrusion Prevention SystemEarly warning for scans, worm propagation, etc.Alert on 7 or more IDS Alerts from a single IP Address in one minuteNetwork Intrusion Detection and Prevention Devices
Repeat Attack-Host Intrusion Prevention SystemFind hosts that may be infected or compromised
(exhibiting infection behaviors)		Alert on 3 or more events from a single IP Address in 10 minutesHost Intrusion Prevention System Alerts
Virus Detection/RemovalAlert when a virus, spyware or other malware is detected on a hostAlert when a single host sees an identifiable piece of malwareAnti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
Virus or Spyware Detected but Failed to CleanAlert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removedAlert when a single host fails to auto-clean malware within 1 hour of detectionFirewall, NIPS, Anti-Virus, HIPS, Failed Login Events

See also

Related Research Articles

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Security event management (SEM), and the related SIM and SIEM, are computer security disciplines that use data inspection tools to centralize the storage and interpretation of logs or events generated by other software running on a network.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments.

Prelude SIEM is a Security information and event management (SIEM).

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP. SCAP is a suite of tools that have been compiled to be compatible with various protocols for things like configuration management, compliance requirements, software flaws, or vulnerabilities patching. Accumulation of these standards provides a means for data to be communicated between humans and machines efficiently. The objective of the framework is to promote a communal approach to the implementation of automated security mechanisms that are not monopolized.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

<span class="mw-page-title-main">TriGeo Network Security</span>

TriGeo Network Security is a United States–based provider of security information and event management (SIEM) technology. The company helps mid market organizations proactively, protects networks and data from internal and external threats, with a SIEM appliance that provides real-time log management and automated network defense - from the perimeter to the endpoint.

The Log Management Knowledge Base is a free database of detailed descriptions on over 20,000 event logs generated by Windows systems, syslog devices and applications. Provided as a free service to the IT community by Prism Microsystems, the aim of the Knowledge Base is to help IT personnel make sense of the large amounts of cryptic and arcane log data generated by network systems and IT infrastructures.

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.

<span class="mw-page-title-main">Risk Management Framework</span> US federal government guideline

The Risk Management Framework (RMF) is a United States federal government guideline, standard, and process for managing risk to help secure information systems. The RMF was developed by the National Institute of Standards and Technology (NIST), and provides a structured process that integrates information security, privacy, and risk management activities into the system development life cycle. The RMF is an important aspect of a systems attainment of its Authority to Operate (ATO).

<span class="mw-page-title-main">Information security operations center</span> Facility where enterprise information systems are monitored, assessed, and defended

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk. Various methodologies exist to manage IT risks, each involving specific processes and steps.

NIST Special Publication 800-92, "Guide to Computer Security Log Management", establishes guidelines and recommendations for securing and managing sensitive log data. The publication was prepared by Karen Kent and Murugiah Souppaya of the National Institute of Science and Technology and published under the SP 800-Series; a repository of best practices for the InfoSec community. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time.

The NIST Cybersecurity Framework (CSF) is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks. Developed by the U.S. National Institute of Standards and Technology (NIST), the framework was initially published in 2014 for critical infrastructure sectors but has since been widely adopted across various industries, including government and private enterprises globally. The framework integrates existing standards, guidelines, and best practices to provide a structured approach to cybersecurity risk management.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

References

  1. "What is SIEM". IBM. 2024. Retrieved 25 January 2024.
  2. 1 2 3 Johnson, Arnold; Dempsey, Kelley; Ross, Ron; Gupta, Sarbari; Bailey, Dennis (10 October 2019). "Guide for Security-Focused Configuration Management of Information Systems" (PDF). National Institute of Standards and Technology. doi:10.6028/nist.sp.800-128. S2CID   63907907 . Retrieved 23 January 2024.
  3. Cinque, Marcello; Cotroneo, Domenico; Pecchia, Antonio (2018). Challenges and Directions in Security Information and Event Management (SIEM). pp. 95–99. doi:10.1109/ISSREW.2018.00-24. ISBN   978-1-5386-9443-5 . Retrieved 2024-02-02.
  4. 1 2 "SIEM: A Market Snapshot". Dr.Dobb's Journal. 5 February 2007.
  5. Ruthberg, Zella; McKenzie, Robert (1 October 1977). Audit and evaluation of computer security. U.S. Department of Commerce. doi:10.6028/NBS.SP.500-19 . Retrieved 23 January 2024.
  6. Williams, Amrit (2005-05-02). "Improve IT Security With Vulnerability Management" . Retrieved 2016-04-09. Security information and event management (SIEM)
  7. "Improving the Nation's Cybersecurity". Federal Register. 2021-05-17. Retrieved 2021-07-28.
  8. 1 2 Kent, Karen; Souppaya, Murugiah (13 September 2006). "Guide to Computer Security Log Management". National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-92. S2CID   221183642 . Retrieved 24 January 2024.
  9. "NIST Risk Management Framework". National Institute of Standards and Technology. 7 November 2024. Retrieved 25 January 2024.
  10. Computer Security Division, Information Technology Laboratory (2016-11-30). "NIST Risk Management Framework | CSRC | CSRC". CSRC | NIST. Retrieved 2021-07-23.
  11. "Understanding the NIST cybersecurity framework". Federal Trade Commission. 2018-10-05. Retrieved 2021-07-23.
  12. Rights (OCR), Office for Civil (2009-11-20). "Summary of the HIPAA Security Rule". HHS.gov. Retrieved 2021-07-23.
  13. "The Role of Information Security in Sarbanes-Oxley Compliance". Issues in Information Systems. 2005. doi: 10.48009/2_iis_2005_124-130 . ISSN   1529-7314.
  14. "Mapping PCI DSS v3_2_1 to the NIST Cybersecurity Framework v1_1" (PDF). July 2019.
  15. "NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001". 10 December 2020.
  16. "Risk Management Framework for Information Systems and Organizations" (PDF). National Institute of Standards and Technology. December 2018. doi:10.6028/nist.sp.800-37r2 . Retrieved 24 January 2024.
  17. Computer Security Division, Information Technology Laboratory (2016-11-30). "Release Search - NIST Risk Management Framework | CSRC | CSRC". CSRC | NIST. Retrieved 2021-07-19.
  18. 1 2 "Security and Privacy Controls for Information Systems and Organizations" (PDF). National Institute of Standards and Technology. 12 October 2020. doi:10.6028/NIST.SP.800-53r5 . Retrieved 24 January 2024.
  19. Swift, David (26 December 2006). "A Practical Application of SIM/SEM/SIEM, Automating Threat Identification" (PDF). SANS Institute. p. 3. Retrieved 14 May 2014. ...the acronym SIEM will be used generically to refer...
  20. 1 2 Jamil, Amir (29 March 2010). "The difference between SEM, SIM and SIEM".
  21. Bhatt, S.; Manadhata, P.K.; Zomlot, L. (2014). "The Operational Role of Security Information and Event Management Systems". IEEE Security & Privacy. 12 (5): 35–41. doi:10.1109/MSP.2014.103. S2CID   16419710.
  22. Correlation Archived 2014-10-19 at the Wayback Machine
  23. 1 2 "Compliance Management and Compliance Automation – How and How Efficient, Part 1". accelops.net. Archived from the original on 2011-07-23. Retrieved 2018-05-02.
  24. "2018 Data Breach Investigations Report | Verizon Enterprise Solutions". Verizon Enterprise Solutions. Retrieved 2018-05-02.
  25. Kotenko, Igor; Polubelova, Olga; Saenko, Igor (November 2012). "The Ontological Approach for SIEM Data Repository Implementation". 2012 IEEE International Conference on Green Computing and Communications. Besancon, France: IEEE. pp. 761–766. doi:10.1109/GreenCom.2012.125. ISBN   978-1-4673-5146-1. S2CID   18920083.
  26. Kotenko, Igor; Chechulin, Andrey (November 2012). "Common Framework for Attack Modeling and Security Evaluation in SIEM Systems". 2012 IEEE International Conference on Green Computing and Communications. pp. 94–101. doi:10.1109/GreenCom.2012.24. ISBN   978-1-4673-5146-1. S2CID   15834187.
  27. Karl-Bridge-Microsoft. "Eventlog Key - Win32 apps". docs.microsoft.com. Retrieved 2021-07-18.
  28. Kotenko, Igor; Polubelova, Olga; Saenko, Igor (November 2012). "The Ontological Approach for SIEM Data Repository Implementation". 2012 IEEE International Conference on Green Computing and Communications. pp. 761–766. doi:10.1109/GreenCom.2012.125. ISBN   978-1-4673-5146-1. S2CID   18920083.
  29. Azodi, Amir; Jaeger, David; Cheng, Feng; Meinel, Christoph (December 2013). "Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems". 2013 International Conference on Advanced Cloud and Big Data. pp. 69–76. doi:10.1109/CBD.2013.27. ISBN   978-1-4799-3261-0. S2CID   1066886.
  30. "28c3: Security Log Visualization with a Correlation Engine". YouTube . December 29, 2011. Archived from the original on 2021-12-15. Retrieved November 4, 2017.
  31. Swift, David (2010). "Successful SIEM and Log Management Strategies for Audit and Compliance". SANS Institute.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.