What is SIEM Software? How It Works and How to Choose the Right Tool
By Mary K. Pratt, Contributing Writer, CSO
Evolving beyond its log-management roots, today’s Security Information and Event Management (SIEM) software vendors are introducing machine learning, advanced statistical analysis and other analytic methods to their products.
What is SIEM Software?
Security Information and Event Management (SIEM) software gives enterprise security professionals both insight into and a track record of the activities within their IT environment.
SIEM technology has been in existence for more than a decade, initially evolving from the log management discipline. It combined security event management (SEM) – which analyzes log and event data in real time to provide threat monitoring, event correlation and incident response – with security information management (SIM) which collects, analyzes and reports on log data.
How SIEM Software Works
SIEM software collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters.
The software then identifies and categorizes incidents and events, as well as analyzes them. The software delivers on two main objectives:
- Provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities.
- Send alerts if analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue.
Enterprise need for better compliance management drove much of the early adoption of this technology, says Paula Musich, research director at Enterprise Management Associates (EMA), a market research and consulting firm based in Boulder, Colo.
“Auditors needed a way to look at whether compliance was being met or not, and SIEM provided the monitoring and reporting necessary to meet mandates like HIPPA, SOX and PCI DDS,” she says, referring to the Health Insurance Portability and Accountability Act, the Sarbanes–Oxley Act and the Payment Card Industry Data Security Standard.
However, experts say enterprise demand for greater security measures has driven more of the SIEM market in recent years.
“Now large organizations typically look to SIEM as a foundation for standing up the security operations center,” Musich says.
Analytics and Intelligence
One of the main drivers behind the use of SIEM software for security operations rests with the newer capabilities contained within many of the products on the market.
“Now a lot of SEIM technologies bring in threat intelligence feeds in addition to traditional log data, and there are multiple SIEM products that have security analytics capabilities that look at network behavior as well as user behavior to give more intelligence around whether an activity indicates malicious activity,” Musich explains.
Indeed, technology research firm Gartner in its May 2017 report on the worldwide SIEM market calls out the intelligence in SIEM tools, saying “innovation in the SIEM market is moving at an exciting pace to create a better threat detection tool.”
The Gartner report further notes that vendors are introducing machine learning, advanced statistical analysis and other analytic methods to their products, while some also are experimenting with artificial intelligence and deep learning capabilities.
According to Gartner, vendors market such advances as capabilities that can provide more accurate detection rates at a faster pace. However, Gartner points out that enterprises aren’t yet clear on whether, or by how much, these capabilities yield new returns to the organization.
Rob Stroud, a principal analyst with Forrester Research and past board chairman with ISACA, an international professional association focused on IT governance, says he sees promise in such technologies.
“With AI and machine learning we can do inference and pattern-based monitoring and alerting, but the real opportunity is the predictive restoration. This is the transition in the market now. It’s going from a monitoring tool to [the software providing] remediation suggestions,” Stroud says, adding that he expects SIEM software to even be able to automate remediation in the future.”
SIEM in the Enterprise
SIEM software captures only a small portion of the total dollars spent on enterprise security worldwide, according to Gartner. Gartner estimates global spending on enterprise security at nearly $98.4 billion for 2017, with SIEM software garnering about $2.4 billion. Gartner predicts spending on SIEM technology will rise modestly, to nearly $2.6 billion in 2018 and $3.4 billion in 2021.
SIEM software is mostly used by large organizations and public companies, where compliance to regulations remains a strong factor in the use of this technology, according to analysts.
While some mid-size companies also SIEM software, small companies do not tend to need nor want to invest in it. Analysts say they’re often priced out of buying their own solution, as its annual cost can run from tens of thousands to more than $100,000-plus. Additionally, small companies don’t have the ability to hire the talent needed to maintain SIEM software on an ongoing basis.
That said, analysts do also note that some small and mid-size businesses have SIEM delivered as a software-as-a-service offering through outsourcing providers who are large enough to sell their SMB clients that service.
Currently, large enterprise users tend to always run SIEM software on-premises, due to the sensitivity of some of the data going through the system. “You’re logging sensitive things, and that’s not something that people have a lot of appetite for sending over the internet,” says John Hubbard, lead analyst for GlaxoSmithKline’s U.S. Security Operations Center and an instructor with the SANS Institute, an organization for security professionals.
However, as machine learning and artificial intelligence capabilities within SIEM products increases, some analysts expect SIEM vendors will offer a hybrid option, with some of the analytics running in the cloud.
“We’re seeing collecting and curating and intelligence via cloud; we’re seeing that emerge because the vendor can [gather and] cull through more data than an organization can,” Stroud says.