SIEM is a Buzzword, and It's Not
Security Information and Event Management (SIEM)-though often expressed as a software solution-is the process of aggregating auditing data, storing that data, and using the information to provide analysis for information systems. A SIEM tool would "include gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data" (Amir Jamil, 2010). Though it would be a bit preposterous, a team of security experts could well perform SIEM tasks manually.
Of course, we never have the funding or personnel to accomplish even our normal tasks, and no organization is going to hire a wing of employees just to sort through log data. Instead, we need a well-designed SIEM system that can perform those log aggregation and analysis functions. Now, most well-developed software packages already include at least one of these three capabilities. Most operating systems store log data about errors, critical tasks, or faults within the system. However, those logs probably won't be stored for more than a few days before being overwritten. So, we set up a log server and send all of our audit data there. Then, we aggregate multiple system logs by sending a whole company's logs to one server. Still, that's just half of our requirement. We still need a way to analyze those logs. There has to be some way of sifting through thousands of logs per second to find meaningful data. Again, analysis could be performed manually, but that would be at least one person's full-time job.
No "matter how good a security engineer is, about 1,000 events per day is a practical maximum to deal with" (Swift, 2006). We humans just can't sift through the amount of data provided by more than a few interconnected systems. On average, some of my own work environment's systems create more than a million events per day. Then, many organizations have to comply with storage requirements of twelve months, two years, or even five. There's no way for a person-or even a team of experts-to be effective at sorting through months of audit data. Instead, we need something that combines heuristics and programmable logic to automate that process. We need a way to put together pattern-recognition that highlights the possible errors, faults, or security breaches.
So, to be effective at SIEM? We need a program that pulls in massive amounts of log data. Then, it needs to aggregate that information into a single pool of information. Finally, that information must be automatically analyzed to point out the most useful data.
Then, with a fully-enabled SIEM system? An organization would easily meet their incident response and compliance requirements. If a person unplugs their computer when they shouldn't? With the right monitoring equipment, log it and tag it as critical for human review based on x and y factors. What if four servers get thousands of brute force attempts on the same day? The SIEM could cross-reference that multi-system attack and tag the severity, number of affected systems, and send out warning emails. It would certainly meet NIST's RMF requirements for continuous monitoring and critical log alerts.
Of course, all this means that someone has to actively watch SIEM output. Someone has to tune that system for proper actions and reports. A badly-tuned SIEM might easily miss one hacking attempt and send out garbage reports about a port that keeps disconnecting due to faulty cable. An organization that gets annoyed by its SIEM might turn the warnings and alerts to silent. So, even the best tool--no matter how well-tuned and well-intentioned--could be useless without humans that care enough to pay attention to its management and monitoring.
Amir Jamil, Sectier (2010). The difference between SEM, SIM, and SIEM. Retrieved from: https://www.gmdit.com/NewsView.aspx?ID=9IfB2Axzeew=
Swift, David (2006). A Practical Application of SIM/SEM/SIEM Automating Threat Identification. Retrieved from: https://www.sans.org/reading-room/whitepapers/logging/practical-application-sim-sem-siem-automating-threat-identification-1781