We just raised $142 million in our Series D Round! Read About Our Plans for the Future

How to Use SIEM Tools in the Modern World

  • Coralogix
  • May 24, 2022
Siem tools

In our highly connected world, organizations of all sizes need to be alert to the risk of cyberattacks. The genuine threats to today’s enterprises include data leaks, ransomware, and theft of commercial secrets or funds, with the potential for severe financial and reputational damage. 

Investing in tools to monitor your systems and alert you to suspicious activity as early as possible is vital for strengthening your security posture.

Until fairly recently, Security Information and Event Management (SIEM) tools have been the preserve of large corporations, requiring a high degree of technical and security expertise to operate and derive value from them. 

The good news is that with modern-day SIEM systems, much of the labor involved is in determining baselines and thresholds and correlating events across distributed systems. 

What’s more, triaging alerts can now be automated, with some also providing the ability to contain and mitigate threats as they emerge. This article will discuss how SIEM is evolving and how it can help you defend against cyber threats.

What is SIEM?

The first generation SIEM tools focused primarily on recording and reporting log data for regulatory compliance. Then came Security Event Management (SEM) tools, which analyzed log and event data in real-time to monitor threats and support incident response.

By combining these two functions, SIEM tools evolved to handle proactive attack monitoring, threat analysis, incident response, security forensics and reporting, and data retention for compliance purposes. 

With the data and functionality provided by a SIEM, security operations teams could analyze historical data to determine expected operating parameters and set conditions to trigger alerts when a threat is detected.

As we’ll discuss in more detail, SIEM vendors have continued to improve their offerings by leveraging innovations in machine learning, automation, and big data analysis. 

Modern SIEM solutions handle much larger volumes of data, using it to derive insights and identify anomalies that merit further investigation. They also apply automated workflows to contain and mitigate threats.

How do SIEM tools work?

A SIEM tool collects log data from the systems and applications running on multiple disparate hosts within your IT estate, including servers, routers, firewalls, and employee workstations. There are several ways SIEM tools collect data, and the most reliable methods include:

  • Using an agent installed on the device to collect from
  • Connecting to a device directly using a network protocol or API call
  • Accessing log files directly from storage, typically in Syslog format or CEF (Common Event Format)
  • Using an event streaming protocol like Netflow or SNMP

After collecting the log data in a central location, the SIEM tool normalizes and aggregates that data for analysis. SOC team members can query the log and event data to generate reports and investigate incidents. Dashboards provide the SOC team with visualizations of the data in real time, with alerts triggered when a possible threat or incident is detected.

‘Next Gen’ SIEMs build on this functionality using insights from historical data combined with external threat libraries and blocklists. Using statistics, descriptive, and predictive data mining, machine learning, simulation, and optimization, SIEM tools maintain a constantly evolving picture of normal operations and deliver critical insights to identify hidden threats.

Correlating event data

To protect your organization from cyber threats, it’s not enough to analyze logs from individual devices in isolation. With distributed systems, it’s common for attackers to move horizontally through the network, looking for weaknesses that will give access to your data or resources.

To identify signs of an attack, sometimes you need to correlate events occurring in different parts of the system to form a bigger picture. For example, whereas thousands of failed login attempts occurring in quick succession would be flagged as a potential brute force attack, but an employee logging into the VPN from a different location is not necessarily suspicious. 

However, if that user then accesses a different server to normal – perhaps one containing sensitive data – or attempts to change their security settings or account permissions, things start to look more suspicious. These two events, taken together suggest the beginnings of an attack, and the chain of events would be flagged as a potential threat to be investigated.

Event correlation relies on large numbers of data points, making it extremely difficult to perform manually. SIEM tools use statistical modeling and machine-learning to analyze the available data, automatically marking events as potentially suspicious and drawing correlations between data points to raise alerts when a sequence of events displays the hallmarks of malicious activity.

Powering intelligent alerts with Machine-Learning

One of the limitations of SIEM for securing your enterprise is the impact of false positives in triggering alert fatigue among security operators. When events that appear similar, at least on the surface, happen very frequently, it’s a natural human response to pay them less attention. 

Modern SIEM providers apply machine learning (ML) techniques to automatically refine alerts generated and adjust alert thresholds, reducing the likelihood of false positives and allowing security experts to use their time more productively.

Machine learning enables several other techniques for automating threat detection and minimizing the extent of an attack with UEBA and SOAR.

Identifying anomalies with UEBA

With User Event Behavior Analysis (UEBA), SIEM tools use machine learning and statistical analyses to identify common patterns of user behavior, which serve as a baseline for detecting anomalous activity.

For example, if an individual logs typically in for eight hours a day during local office hours, but one day stays logged in for over 24 hours or starts logging in during the middle of the night, it could indicate that their account has been compromised and an attacker is gaining access to your systems. 

In a similar vein, if you have a user who prints typically in the region of a hundred pages a week or writes a few gigabytes to removable storage each month, but one day starts exporting terabytes of data, you might be dealing with a malicious insider.

Modern SIEM tools combine insights from UEBA with the real-time analysis of system and network data to build a comprehensive picture of the activity within your IT estate. Using targeted algorithms and statistical modeling, they can adapt alert rules to filter out noise and zero in on the anomalies that merit further investigation.

Automating responses to threats

Security Orchestration, Automation and Response (SOAR) refers to the capability of modern SIEMs to automate the response to threats they have detected. Once suspicious activity is identified, a SIEM tool can assist with the orchestration of the various activities required to further investigate the threat by correlating events (as described above). 

Furthermore, they can automate certain runbook activities, such as opening tickets in tracking systems like Jira. This saves time for security experts, who can focus on the most impactful tasks.

For certain types of attacks, the SIEM tool can automatically apply steps to contain or mitigate the threat, such as notifying employees of a confirmed phishing attempt or quarantining users that have fallen victim to the phishing attack before detection.

SOAR can also be used to apply basic hygiene measures automatically. For example, by automating the steps to de-provision user accounts when employees leave your organization, you ensure these essential tasks are performed promptly while freeing up IT staff to focus on more valuable work.

Built for the cloud

As we’ve seen, modern SIEM tools can identify emerging threats in distributed systems by analyzing huge volumes of data in real-time. This data storage and analysis level require significant storage and computing power, which is why modern SIEM tools are often built for the cloud. 

The horizontal scalability of cloud-hosted storage combined with cloud-native big data analytics tools means you can feed in a wide range of data sources, maximizing data correlation and anomaly detection opportunities.

However, a possible downside of cloud-based tools is the potential for spiraling costs for data storage. SIEM providers that offer solutions for managing data and optimizing storage will help you manage costs over the long term.

Summary

SIEM tools are proving to be more critical than ever in modern times of cyberattacks. They are undeniably valuable for collating data and threats across your IT environment into a single, easy-to-use dashboard. 

Many of the ‘Next Gen SIEM’ tools are configured to flag suspect patterns independently and sometimes even resolve the underlying issue automatically. The best SIEM tools are adept at using past trends to differentiate between actual threats and legitimate use, minimizing false alarms while ensuring optimal protection. 

By helping your security team work effectively and efficiently, a modern SIEM tool streamlines your operations while strengthening your organization’s security posture.

Related Articles