Security Information and Event Management (SIEM)

SIEM software products are able to analyze the state of information security in IT systems, in real time, generate alerts, respond to the operation of network equipment and applications.

The overall goal of this category of products is to help companies quickly respond to attacks, security incidents, and organize the information that is handled as part of this task.

SIEM Market

2021: only 14% to 25% of companies were equipped with SIEM systems in Russia

SearchInform On September 12, 2022, the company announced a study on the practical application of event monitoring and management systems information security (SIEM) Russian in business. The survey involved 300 commercial, state and from non-profit organizations different. industries economies

According to SearchInform, only 14% to 25% of companies were equipped with SIEM systems in 2021. The main emphasis during the survey was made on the problems of operation and implementation of systems, including on the subjects of KII (58% of respondents), where the use of software is actually mandatory.

As the survey showed, two-thirds of them are not equipped with an SIEM system.

Representatives of some CII subjects say they do not need event monitoring systems. For example, the majority (56%) of health respondents declare that there are no tasks for SIEM in their organizations and do not know that they are obliged to implement such systems as CII subjects. Among all respondents, 19% of companies said there were no tasks for SIEM.

Another 12% of survey participants are confident that the information security tools they have fully compensate for the lack of SIEM. These are subjective assessments: in fact, organizations have practically no tools that could potentially create an alternative to SIEM and solve similar problems. So, for example, 6% of SOCSOAR respondents use/, EDR/XDR - 3%. The situation with vulnerability scanners is better, they are installed in 47% of companies. However, even this tool individually does not meet all the tasks of prompt threat monitoring.

* it was possible to select several answer options

But the main reasons that hinder implementation are the lack of budgets, the complexity of implementation and the lack of personnel to work with SIEM.

37% of respondents reported that they consider SIEM too expensive - they could not find funds for the purchase and abandoned the idea. Even among companies where SIEM is installed, 47% called the approval of the purchase budget the biggest difficulty associated with the solution.

The situation is complicated by the fact that the operation of SIEM can assume additional costs: for a specialized specialist to work with it, to pay for technical support and improvements, to expand the number of licenses, if they are calculated from peak traffic (the number of events from sources per unit time), and the limits were exceeded.

Collectively, more than 70% of respondents consider working with SIEM difficult - they fear excessive labor costs for implementation, configuration and customization. For 14% of companies surveyed without SIEM, potential implementation labor costs became the main reason for refusal to purchase.

Those companies that already own the system complain about the difficulties of customization. There is not enough functionality available out of the box: ready-made connectors for connecting sources lack a third, correlation rules, i.e. isolating the incident - 17% of respondents. Only 46% of companies manage to cope with the problem on their own, but most resort to the help of vendors and integrators. This clearly demonstrates another problem - the lack of competent personnel to work with SIEM.

For every fifth organization, the absence of specialized specialists served as a reason for refusing to purchase the solution. 58% of companies where SIEM has already been implemented also complained about the shortage of personnel.

* it was possible to choose several response options,% of the number of companies with SIEM

The study showed that only 11% of companies were able to allocate a specialized specialist to work with SIEM. In the overwhelming majority of cases, this is an additional burden on information security specialists.

* it was possible to choose several response options,% of the number of companies with SIEM

With all the difficulties, none of the respondents doubts the effectiveness of SIEM - even those who have not implemented the solution recognize its benefit. Companies understand that this is an important system to counter the growing number of threats - for 41% of solution owners, this has become the main motivator for implementation. Another popular reason why companies decide to purchase is the expansion of infrastructure and the presence of specific sources in it, for example, domestic software and equipment (40%). Another 36% motivates the requirements of the regulator.

{{quote 'The widespread adoption of SIEM inhibits rather the image of this class of products as "expensive and complex," intended exclusively for large companies. However, in reality it all depends on the specific decision. So, the ideal SIEM, judging by our survey, should be inexpensive at the start and in operation, with good functionality and complying with regulatory requirements. SIEM is regularly used not only by IT specialists, but also by specialists of other profiles who may not have special training of an administrator or developer. Therefore, the majority of respondents rely on extended support from the vendor: assistance in training, access to the knowledge base, assistance in customizing and configuring the system. In this sense, the market reversal to domestic SIEM customers only plays into the hands: Russian developers are closer to the client and better understand his request, - said Pavel Pugach, a system analyst at SearchInform. }}

* it was possible to select several answer options

2020: Positive Technologies named the main technological trends in the development of SIEM systems

The most promising areas that will help SIEM systems better identify cyber incidents and prevent their consequences, Positive Technologies experts called the development of expertise in the field of system management, automated incident response, enhanced SIEM capabilities through traffic analysis technologies, analysis of what is happening at the end nodes, monitoring of user and entity behavior, as well as the use of cloud computing as a data source and the provision of SIEM according to the service (as a service) model.

Among the technologies affecting the development of SIEM systems, Positive Technologies specialists noted the development of expertise in the field of system management. For the past 15 years, SIEM has been commonly talked about as a means of collecting logs from different systems and correlation means, and the analysis of the collected datasets is limited to mapping correlation rules according to the MITRE ATT&CK matrix. To improve the quality of monitoring SIEM security events, this is not enough: we need normalization rules, ways to configure sources, packages with threat detection rules, instructions for activating sources, descriptions of detection rules, recommendations on what to do if the rule worked. The share of coverage of this technology (penetration depth) is 50―60%, the quality of implementation is average (3 points).

Another trend in the development of SIEM systems ― automation of incident response. According to a survey conducted by Positive Technologies, 25% of information security specialists spend two to four hours daily in the SIEM system. The survey participants attributed the work with false positives (adjustment of correlation rules) and the analysis of incidents to the most laborious tasks: 58% and 52% of respondents, respectively, noted them. It takes a lot of time for 30% of information security specialists to configure data sources and track their performance. This trend gives impetus to the development of SIEM systems in the field of another class of products - SOAR. The share of technology coverage is 60-70%, and the quality of implementation is 3.

The third trend is associated with the convergence of traffic analysis technologies (NTA systems), logs (SIEM) and what is happening at the end nodes (EDR). Without deep network analysis and EDR capabilities, monitoring will not be complete. In the next three years, traffic analysis will be considered as a prerequisite for the future SIEM, and event analysis at the end nodes as a complement to the functionality. Technology coverage is 60-70%, implementation quality is 2 points.

The desire to get on one screen a unified picture of what is happening in the infrastructure will contribute to the addition of UEBA tools to the SIEM capabilities - behavioral analysis of users and entities (processes, network nodes, network activities). The main difference between SIEM and UEBA SIEM is that the SIEM system acts as a kind of constructor for collecting logs, and the UEBA solution builds behavioral models. Algorithms for finding and processing anomalies can include various methods: statistical analysis, (machine learning machine learning), deep learning, etc., which prompt the operator which users and entities on the network began to behave atypically and why this behavior is atypical for them. This is the fourth technology, the coverage of which is estimated at 70―80%, and the implementation quality is 4 points.

The fifth direction of development of SIEM systems is associated with clouds. According to a study by Enterprise Strategy Group commissioned by Dell Technologies and Intel, in 2019, approximately two-thirds (64%) of businesses planned to increase spending on public cloud platforms compared to the previous year. This approach, on the one hand, forces vendors to add the most popular cloud services (AWS, Google Cloud Platform, Microsoft Azure) to the list of sources supported by SIEM - by connecting connectors to clouds and on the other, learn how to provide SIEM on the as a service model - by adding cloud-specific methods for deploying, configuring and conducting SIEM (virtual, cloud applines). According to expert estimates of Positive Technologies, the share of coverage of this technology is 60―70%, and the quality of implementation is 3 points.

2017 Gartner Data

Gartner estimates the cost worldwide in 2017 at ON SIEM - about $2.4bn^[1]The research company predicts an increase in SIEM costs to about $2.6bn in 2018, $3.4 billion in 2021.

2009-2015 (Frost & Sullivan forecast)

It is worth noting that from year to year SIEM systems take significant steps forward, becoming a necessary IT tool for modern enterprises. This is primarily due to two vectors for the development of IT technologies in general: centralization and virtualization. SIEM systems centralize the storage and management of information about events occurring in the IT infrastructure, and many manufacturers offer versions available for deployment in a virtual environment.

According to a 2011 report by the analytical agency Frost & Sullivan, the global market for SIEM solutions will almost double from 2009 to 2015.

Figure 3. SIEM Global Market

The state of affairs on the world market is quite projected onto the Russian market.

Figure 4. Russian SIEM market

2012

The main players in the market are:

• IBM Q1 Radar
• HP ArcSight
• Tibco Loglogic
• McAfee Nitro
• Symantec
• RSA Envision
• Splunk

According to the results of the study with the involvement of specialists working in vendors and distributors of SIEM solutions, market shares were distributed as follows.

Figure 1. Player shares in the Russian market

HP Arcsight was one of the first to enter our market and, despite increasing competition, continues to hold a leading position in its segment.

The following vendors offer a wide line of products, known to the Russian market, have representative offices, invest in the development of their products, which together leads to an increase in sales and an increase in market share.

"Others" include vendors such as Splunk and Tibco Loglogic, which have high-quality products and specialize exclusively in SIEM. These vendors take the first steps in the Russian market, but the pricing policy, functionality and line designed for organizations of any size allow these manufacturers to count on successful promotion.

Figure 2. Key players in the SIEM market

For a long time, SIEM systems could only be afforded by large companies with a good annual IT budget. However, all-in-one systems have appeared in recent years. In these products, the mechanisms for collecting, storing, searching, normalizing and correlating information are implemented within one box. Products such as HP ArcSight express, Tibco Loglogic MX, McAfee Nitro ESM, QRadar 2100 All-In-One Appliance provide SIEM functionality based on the needs of small and medium-sized companies.

There have also been many high-profile mergers this year. This is due to the fact that initially the systems were divided into SEM and SIM and, therefore, gravitated towards the corresponding functionality, partially implementing another. In 2011-2012, large players of the SIEM market tried to fill their SIEM systems with SIM and SEM functionality as much as possible.

McAfee absorbed Nitro and strengthened its SIEM system with SEM functionality. The leader of the IT technology market HP acquired Arcsight, investing new funds in the products of this vendor, in order to maintain market leadership. Q1 Radar harmoniously joined IBM products, replacing the outdated Tivoli line. Tibco acquired Loglogic, introducing new analytical capabilities into the SIEM functionality, visualizing everything that happens on the network and allowing it to investigate information security incidents in real time.

2007

In 2007, the research company IDC predicted the global growth of the SIEM market from $380 million to $873 million in 2010. RSA Security at the same time estimated an annual market expansion between 25% and 35%.

In 2007, analysts saw the prospect of developing SIEM solutions that this technology is ideal for implementing compliance requirements and preparing reports. It helps you understand internal and external threats to IT. Products of this category increase the efficiency of interaction between people and systems, help reduce administration costs. SIEM is flexibly managed and can become a monetizable service.

SIEM Tasks and Functions

Gartner analysts believe that today companies face two important problems when implementing SIEM solutions: a shortage of investments at the initial stage and in the future - finding a budget to use new system capabilities to solve urgent problems or buy unnecessary functions, which ultimately leads to overpayments to the supplier for an unused solution and maintenance.

Gartner analysts advise heads of information security and risk management to adhere to several important rules:

• Use CLM tools (centralized log management) to monitor security incidents even in a limited budget for SIEM implementation.
• Leverage existing information systems and tools to collect and manage information security events in SMBs
• Take a step-by-step and multi-level approach, using CLM tools when planning SIEM systems to avoid unnecessary financial investments in unnecessary functions and the purchase of non-priority additional licenses at the start of work;
• Use CLM tools to better manage investments in SIEM if the existing tool cannot scale information collection and analysis due to budget constraints.

Task list for SIEM:

• collecting information, combining, storing event logs received from various sources: network devices, applications, OS logs, security tools and systems
• availability of tools for analysis of events and analysis of security incidents
• correlation and processing according to rules
• automatic notification and incident management

Modern systems and products of this category are able to detect:

• network attacks in the internal and external network perimeters
• virus activity or individual infections not deleted, viruses backdoors () backdoor and Trojans
• unauthorized access attempts
• fraud and fraud
• errors and failures in the operation of information systems
• vulnerabilities
• configuration errors in security and information systems

SIEM-SOC Usage Steps

Most often, Russian users of SIEM tools apply ready-made (developed by vendors) rules and reports related to the correlation of events in the Windows platform, in network traffic controlled by the NetFlow protocol, related to the control of compliance with the PCI DSS standard, and recently also to the control of compliance with the requirements of the NERC CIP standard related to the information security of the power supply infrastructure.

Next to the implementation and operation of SIEM systems, the logical stage of increasing cyber security for companies is the stage of building its own monitoring and response center for information security incidents (SOC), or applying for SOC services to external providers of relevant services. The SOC market is about two years younger than the SIEM market. Even younger is the market for commercial SOCs providing information security incident monitoring and response services^[2].

It makes sense to build your own SOC for a company only if the maturity level of its corporate information security is high enough to achieve certainty in the purposes and operating mode of SOC in order to ensure the documentation of its functioning, the interaction of SOC process participants, the management of these processes, the assessment of efficiency and, finally, the analysis of results and its development. Often for the company it turns out to be more correct to rely on the competencies of the service provider SOC.

SIEM Sources and Rules

The universal logic of SIEM products requires sources and correlation rules, since any event can be submitted for SIEM processing.

The choice of source is determined based on the following factors:

• criticality ( significance) of the system and information
• reliability and informativity of the source
• coverage of information transmission channels
• spectrum of IT and information security tasks (continuity, incident investigation, compliance with policies, prevention of information leaks, etc.)

Security experts see this set of information sources for SIEM:

• control systems, authentication - for monitoring access control to information systems and the use of privileges
• server and workstation event logs (logs) - for access control, continuity, compliance with information security policies
• active network equipment (change and access control, network traffic parameters)
• IDS/IPS - intrusion detection/prevention systems. Network Attack Events, Configuration Changes, and Device Access
• antivirus protection. Events about software health, databases, configuration and policy changes, malware
• vulnerability scanners. Inventory assets, services, software, vulnerabilities, inventory and topology
• GRC systems for risk, threat criticality, prioritization of an incident
• other information security policy protection and control systems
• software asset inventory and management systems. To monitor infrastructure assets and identify new ones
• netflow and traffic accounting systems

Examples of events

• Network attacks
• Frode and Fraud
• Where and when accounts were blocked
• Changing Non-Admin Configurations
• Privilege escalation
• Identify unauthorized services
• LSD detection (login under the account of the dismissed employee)
• No anti-virus protection on the new installed computer
• Change critical configurations from VPN connections
• Control of executed commands on servers and network equipment
• Audit configuration changes (network devices, applications, operating systems)
• Compliance with the requirements of the Legislation and Regulators (PCI STO BR, ISO 27xx)
• Abnormal user activity (bulk delete/copy)
• Virus Outbreak Detection
• Vulnerability detection by software installation event
• Active vulnerability alert when a previously disabled service is started
• Detect time-distributed attacks
• Impact of Infrastructure Failure on Business Processes

SIEM Components

• agents installed on the inspected information system (relevant for operating systems (the agent is a resident program (service, daemon) that locally collects event logs and, if possible, sends them to the server)
• collectors on agents, which are essentially modules (libraries) for understanding a specific event log or system
• collector servers designed to pre-accumulate events from multiple sources
• correlator server responsible for collecting information from collectors and agents and processing according to correlation rules and algorithms
• database and storage server responsible for storing event logs

SIEM is able to correlate:

• known, described by correlation rules threat
• threat based on a common generic template
• anomaly in case of deviation from the main direction in the protection system
• deviation from the all-that-not-allowed-is-forbidden policy (this is not possible in all SIEMs)
• causality

Ways to optimize the cost and performance of SIEM systems

Information Security Event Management (SIEM) systems often act as a nerve center for corporate systems and become a key part of a successful information security strategy. However, the sheer amount of data that companies collect, store and process is rapidly spiralling out of control. It is so big that you have to constantly increase your SIEM budgets or hope that serious virus attacks will bypass. It should also be remembered that SIEM systems are mainly good for analyzing and reporting on the basis of the foundation of any SIEM system -^[3] logs^[4] to^[5].

Optimizing the SIEM system (to reduce costs or increase efficiency) is most convenient and productive to organize, increasing the efficiency of the log management process. Following our advice, you can improve the operation of SIEM systems and simplify the work of your security service.

Council No. 1. Avoid compatibility issues: The quality of information security event analysis directly depends on the quality of the source data. Since most organizations have the most diverse fleet of equipment, among the tools for collecting and managing logs, it is better to choose those solutions that have the most wide support for different log formats (including simple text files, database files such as SQL, Oracle and SNMP ladders, in addition to the usual syslog formats).

Council No. 2. Send only valuable information to SIEM. The tool for "feeding" information to SIEM should also be able to process and transmit structured and unstructured data. In addition, it should have at its disposal universal functions such as filtering, parsing, converting logs and classifying them. With this set of characteristics, you will send only the most valuable information about information security events to SIEM. Thus, the cost of paying for an SIEM license based on the number of events will be significantly reduced (real cases of operation indicate savings of about 40% per year), and you will be able to provide specialists with a compact and reformatted stream of journal data for easier analysis.

Council No. 3. Ensure that the storage of your logs complies with the default regulatory rules. Transformative features, such as anonymization and pseudonyms, are very important for compliance with international data standards and privacy, such as PCI-DSS, HIPAA and the new GDPR in the European Union.

Council No. 4. Compress your logs on a narrow bandwidth network. Depending on the bandwidth of the Internet and the intranet, your log management tool should be able to work even in conditions of very limited connection and data transfer rates. Instant log compression can significantly reduce traffic consumption and speed up the operation of the central log server. This will increase the response rate to potential safety or operational risks.

Council No. 5. Make sure that you lose only "zero" logs. What happens if you lose one event? Most likely, nothing if it is not an isolated sign of a leak taking place. Message loss prevention features - buffering, delivery support in the form of automatic failover, message rate control, and application-level acknowledgement - are essential. It is important to notice in time that the message not received signals a temporary failure of the log collection infrastructure or its inability to cope with the task.

Council No. 6. Rich functionality must be supported by highly scalable and reliable performance. Specialized tools with fault-resistant architectures can handle traffic from several hundred messages to hundreds of thousands of events per second. There are a huge number of moving elements, dependencies and variables involved, but in the most general case, if you are not a giant like Amazon or Facebook, there should be no problems with the amount of data processed, even with active indexing enabled.

Council No. 7. Integrate and keep privileged user activity monitoring data up-to-date. Although most user actions leave a mark on logs, some of them (especially those performed by privileged users through SSH or RDP control protocols) are not reflected in SIEM analytics logs or data. By integrating SIEM with a privileged action monitoring solution, you can analyze the actions of employees who are most at risk in real time. By doing so, you will prevent cyber attacks with the worst consequences and misuse of privileged accounts.

Council No. 8. Prioritize SIEM alerts. Does your company get too many logs? Is SIEM often false positive? Is the small security team overworked and unable to immediately investigate all incidents of hacking? Any security professional only has seven minutes to work with each SIEM alert to find the source of the leak - be it an APT attack or phishing email. Based on the privilege level of the user who activated the signal, and whether his behavior in this situation differs from the usual daily activity, you can identify the most serious security holes in the IT infrastructure. That's why your company has implemented SIEM to dramatically reduce the time it takes to detect, respond to, and investigate potential threats, and return your enterprise to full protection.

Example Hierarchy Based on SIEM

The domestic company offers its own development.

Hierarchical Information Security Event Management System based on SIEM

See also: AMTSOC SIEM Service Model

See also

• Cybercrime in the world
• Cyber attacks
• Prices for user data in the cybercriminal market

• SIEM: A Market Snapshot
• State system for countering computer attacks based on SIEM
• part2 Event Collection and Correlation Systems (SIEM) Market in Russia