Miriam Tover - PeerSpot reviewer
Service Delivery Manager at PeerSpot (formerly IT Central Station)
  • 12
  • 316

What Is SIEM Used For?

SIEM is one of the fastest trending topics on IT Central Station. Why do companies need to purchase SIEM?

Is it due to compliance reporting, system monitoring, intrusion detection, or something else? Why is it so important?

    Thanks for helping your peers cut through vendor hype and make the right decision.

    PeerSpot user
    17 Answers
    Sofiane Medhkour - PeerSpot reviewer
    Head System /Solution Architect at sorfert
    Real User
    Jul 14, 2019

    SIEM provides real-time analysis of security alerts generated by applications and network hardware.
    It’s important as it’ll be the centralized point where to get security event report of all the infrastructure and the place where to take the first action.

    You can buy it as a software there’s a lot of solution, but you need a security analyst to follow it, or you can buy it as a service.

    Search for a product comparison in Security Information and Event Management (SIEM)
    it_user970365 - PeerSpot reviewer
    Cybersecurity Practice Lead at a tech services company with 201-500 employees
    Real User
    Jul 9, 2019

    The answer is: all of the above.

    From a technical point, if you have a lot of sources that generate security alerts/events, you will need a SIEM to help you manage these alerts (collect, analyze, correlate, etc) and determine how you can respond to them appropriately. Having this system will make it a lot easier for your team to identify and respond to incidents.

    From the business view, it does support with preventing downtime due to incidents, identify problem areas in the network, even understand how the network and people operate normally on a daily basis. And depending on your company's industry (i.e. Finance, Telco), SIEMs are required for regulatory or industry standards. In some countries, banks are required to have a SIEM for the security of their network systems.

    Though SIEMs seem to be a necessity with what it can do, it may not be for everyone. Small companies/networks may not generate many alerts/events so SIEMs will not be helpful. Also, consider the cost and operation of a SIEM. If you have a small network yet require SIEM for compliance, you may be better off with SIEM as a service.

    Thang Le Toan (Victory Lee) - PeerSpot reviewer
    CIO at Robusta Technology & Training
    Real User
    Top 10
    Jul 9, 2019

    A SIEM system provides real-time analysis of security alerts generated by applications tools, platform, network hardware, Virtual Network, Physical Servers or Workstation, and Virtualization VMs.
    This term is somewhat of an umbrella for security software packages ranging from Log Management Systems to Security Log / Event Management, Security Information Management, and Security Event correlation.

    We often divided into three groups of tools:
    Group 1: collecting information, even real time, analyzing basic data in place (usually configuration information, software information, copyright) as a basis for fixed asset control information.
    Group 2: In addition to the information collection feature, it also analyzes quickly, assesses the error status, incident information, records events and also monitors consoles, remote or has integrated tickets for KB, troubleshoot, chat conference, ITIL / IT Helpdesk platform.
    Group 3: Integrating IPS, IDS, firewall, net flow, Squid proxy to help system log analysis, SSO Authenticate log, transaction log for server email, weblog, DC log, etc.
    Therefore, depending on the needs of the enterprise, we choose the tools to suit each group, for example: Spiceworks, Manage Engine, SolarWinds Security Event Manager, Micro Focus ArcSight ESM, Splunk Enterprise Security, LogRhythm Security Intelligence Platform, AlienVault Unified Security Management, RSA NetWitness or IBM QRadar, VM Tubornomic, VeeamOne, etc.

    Systems Analyst at bercell integrated technologies
    Real User
    Jul 8, 2019

    A SIEM is an application that allows an organization to monitor network transactions from within their own network and also external sources.

    SIEMs may provide many features, from basic logging of network transactions to alarms, automatic responses/actions to specific events – without the involvement of a human user.
    Also, SIEMs may be acquired through ownership of the application or as a service. Supporting your own SIEM requires extensive security knowledge and 24 hours availability. As a service, the SIEM requires help with the configuration, periodic input with changes and adjustments, yet not a specific security knowledge or available people 24 hours a day. The cost varies based on features, service, support, and technologies.

    While SIEMs are available on local servers within the organization, they are also available from the cloud. The cloud environment may be a more flexible and cost-effective option.

    The SIEMs have at least two (2) main purposes: security and compliance reporting. Examples for security: external security breach attempts, internal data breaches, malware prevention, etc. Examples of compliance reporting: an organization may not be able to report anything regarding compliance if the organization is not aware of the transactions that occur on their network(s). There are other reasons why an organization may employ a SIEM, and these are addressed by additional features provided by the application.

    The SIEM application is only one component that should be considered when addressing security and compliance requirements. Employing a SIEM by itself will not be a complete solution for the present security and privacy requirements. The SIEM should be considered as part of the solution, together with the following products or services:
    - Policy and Governance (GRC applications/solutions)
    - Vulnerability Risk Assessment
    - Log retention (certain privacy and security legislation/policies ask for log history for compliance)
    - Remediation services (once a security event happens – example a data breach, the network environment has to be restored to a safe original state); a SIEM provides the proper knowledge of what happened using forensic analysis on the logs generated and therefore helps in restoring the network environment to a safe state faster.
    - Reporting and notifications in cases when a security breach happens.
    - User training within consistent intervals (for example, once a month) – through automated training and at least twice a year, teacher assisted.

    All the above are components of a complete solution. Considering, employing and preparing for each of these components assures an organization the value of their investment.

    President, Managing Member with 51-200 employees
    Jul 8, 2019

    I try to relate SIEM to a person’s life to help to understand. Here’s how I explain:

    What is SIEM:
    * Security is mostly focused on “building a fence” around our IT environment with a combination of hardware and software solutions.
    * That “fence” is being hit constantly by both legitimate users entering our IT environment and those trying to penetrate that have bad intent.
    * SIEM deployed at the monitor/triage level is how we watch the “fence” to ensure that there are no holes that have opened, and no one has gone through a hole or around our “fence” that shouldn’t be allowed into our environment.
    * Alerts from SIEM applications need to be triaged by individuals who understand what they are seeing in the alerts.
    * Most alerts represent a legitimate business or non-threatening activity.
    * Alerts that are not legitimate or dangerous are then handled appropriately. I recommend an escalation matrix that directs the type of response based on the type of threat, the impact of the machine(s)/device(s) affected, the risk of propagation in the environment and the impact to operations.
    * SIEM, for the most part, is a reactive process but, it also identifies risk areas that should be acknowledged in a risk log and/or addressed with a proper solution.

    * Compliance requirements are typically dictated by the type of business being conducted and requires careful analysis of any Federal, State, Local, International or other agency/association requirements.
    * Utilizing SIEM to keep your “fence” in good health helps show that you are exercising sufficient “duty of care” in case you do have a breach and are sued.
    Cost Decision:
    * Any spending beyond a regulator requirement for security spending should have a risk/cost analysis.
    * Spend too much and hurt your ability to be financially viable. Spend too little and risk losing your business.
    * The decision is similar to how one might handle personal healthcare, nutrition, and physical training. I find that businesses tend to invest in security much like people invest in their health:
    * Regulated Business/High Performance/High Risk:
    * Pro Athlete: 100% medical coverage, nutritionist prepared training diet, private personal trainer.
    * Strong/Successful/Growing Business/Medium Risk:
    * Moderately Fit Lifestyle: Medical with a deductible, usually eats healthy, works out on regularly own or in group classes at the gym.
    * Newer/Smaller Business/Low Risk:
    * Casual Lifestyle: Medical with deductible, diet varies (sometimes focused sometimes not), casual activity, occasional gym.
    * Low Margin/Income Business/Bankruptcy is the alternate plan for any major business challenges:
    * Sedate Lifestyle: No medical insurance, diet varies, casual activity.

    My website is being rebuilt and doesn’t reflect anything about our security services (or much else). I get all of my business from referrals and haven’t touched it in about 7 years. It’s getting a complete rebuild now because we are adding a client portal and bolting on a new front end at the same time that actually looks professional. not be copied or distributed without this disclaimer.

    Avraham Sonenthal - PeerSpot reviewer
    Senior Network Engineer at a government with 5,001-10,000 employees
    Real User
    Top 5Leaderboard
    Jul 8, 2019

    Security Incident and Event Management (SIEM) is an automated way to detect patterns that might indicate a security incident. Usually, the SIEM product will collect logs from all the networking devices and resources in an environment, and use AI or other logic to correlate them and identify potential attacks. For example, a former employee might log in to the network, plus there is a failed access to a database using the same credentials. A SIEM can identify that as a suspected attack. The virtue of a SIEM is in its ability to spot these correlations. That is why it is good.

    If your organization has a robust security department SIEM could be a good tool to have. It also may be required by audit. It would also be useful in the clearance space where defense and spy agencies may be subject to a hostile cyber attack. Engineering companies like Boeing or Rolls Royce would certainly need such a tool to identify attacks from rogue states such as China and Russia who are known to sponsor the theft of intellectual property from other nations. It requires someone at the organization to be trained on the SIEM and dedicated to monitoring it. Otherwise, it is of limited value except for audit requirements.

    Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    656,474 professionals have used our research since 2012.
    Christian Caldarone - PeerSpot reviewer
    ISO (Information Security Officer) with 10,001+ employees
    Real User
    Jul 8, 2019

    It is so important because it will enable you to have this single pane of glass view onto all the security-related information from your infrastructure and even beyond. Getting an idea about the big picture is really essential for everything security, so a SIEM is a right tool to achieve this. Furthermore, it is hard to find (the right) patterns in millions over millions of lines of information without the help of a SIEM, because a SIEM usually provides the necessary algorithms and correlation rules to bring the patterns of a question to your attention. This is also often referred to as "finding the needle in the haystack".

    Security Engineer at Managed Technology Services LLC
    Real User
    Jul 8, 2019

    A SIEM is a tool which sorts logs and alerts on security-related events, customizable for a business’s needs and regulatory compliance requirements. Many certifications like ISO 27001 and SOC 2 require that there be active monitoring of networks and computer systems to ensure data confidentiality, integrity, and availability.

    A good SIEM will update itself with new signatures and behavioral patterns to be able to identify malicious activities and behaviors or threat actors by collating logs from various devices and endpoints on your network. A SIEM can augment and enhance the work done by security analysts in identifying problems and prevent costly, damaging attacks like ransomware outbreaks, theft of intellectual property or financial fraud. They also have the benefit of being online 24/7 where a staff of at least three analysts would be needed to catch the same coverage.

    Though a SIEM is primarily designed to catch security-related events, they can also be customized to monitor applications such as SQL or Financial software and alert on specific events such as disks being full, RAM usage or network outages.

    Information Security Manager at a comms service provider with 1,001-5,000 employees
    Real User
    Jul 8, 2019

    SIEM is needed for compliance reporting, system monitoring, intrusion detection, and something else. Based on my knowledge and experience in this area I will list the drivers for purchasing a SIEM based on priority as follows:

    1. Monitoring different types of cybersecurity hacking attempts from outsiders and insiders.

    2. Early detection of security hacking attempts and as a result, a prompt response is initiated.

    3. Testing the effectiveness of all type of security controls in place such as network firewalls, IPSs, WAF, AV, DLP, etc.

    4. Visibility of all layers of traffic on different network segments.

    5. Reporting non-compliance issues.

    6. Early detection of existing vulnerabilities in systems.

    7. Security intelligence from SIEM vendor and other vendors in the network because logs are correlated into the SIEM.

    8. Helping business people and improving quality assurance effectiveness by building customized rules on the received logs.

    9. Others such as log retention, log management, and forensics.

    Principal - Emerging Technologies / Industrial IoT Solutions at AT&T
    Jul 8, 2019

    Primarily, SIEM has been implemented in response to governmental compliance requirements. Similarly, many companies decide to implement SIEM to not only protect sensitive data but also to demonstrate proof that they’re doing so while meeting their compliance requirements.

    A failed audit could have catastrophic results of the loss of business and employees, in addition to hefty fines. For these reasons, many companies regularly complete their own internal audit to validate and verify that they are meeting these requirements. With SIEM, this is totally avoidable.

    Security Solutions Consultant at Cognizant
    Real User
    Jul 8, 2019

    SIEM is the intelligence to identify 'security incidents' from every-day events. These events might be logged in infinite locations and systems. SIEM is a detect control mechanism that attempts to co-relate data logs available at all sort of places to be able to spot transgressions.

    Business Developer Manager CyberSecurity Solutions at a tech services company with 501-1,000 employees
    Real User
    Jul 8, 2019

    New generation SIEM such as IBM QRadar helps the company to get a single dashboard where they can see whatever is succeeding in their IT environment. This is really useful to let the security team avoid a jump from a console to another for several security pain point products.
    In the case of an advanced SIEM like IBM Qradar, we can stand that, using its embedded correlation rules, QRadar can literally call the attention of the security analysts only on verified offenses, saving their time.
    This is crucial especially for complex attack or APT where it will be very difficult to see the attack while it is establishing. The option to have AI help the analyst is another crucial help for them to help in a very fast interpretation of what is happening and to let them block the attack and avoid its repetition.
    Obviously, the compliance report will be a gift after the adoption of the systems, the only point of attention will be to let the SIEM ingest all the sources of logs and flows you want to control.

    Information Technology Security Analyst with 11-50 employees
    Jan 21, 2020

    SIEM shows real-time analysis of security alerts generated by applications, Internet, user actions and network activity.
    It is a central location to observe events on your network and to mitigate. You should tailor your needs when choosing. For example if you are an SMB, you should chose a smaller model, if a huge corp. then a larger one. An analyst can manage a smaller solution but a larger company might consider a SaaS. Professional Services and Training with great support is my recommendation.

    Gregg Woodcock - PeerSpot reviewer
    Consultant at Splunxter, Inc.
    Real User
    Top 10
    Jul 9, 2019

    SIEM = Security Information and Event Management. It is any tool that monitors a computer system or network for intruders and generates notable events that security analysts sort through and respond to. The king of these is Splunk and my company, Splunxter.com are experts at Splunk Professional Services of all kinds.

    Stuart Berman - PeerSpot reviewer
    CTO at a tech company with 11-50 employees
    Real User
    Top 10
    Aug 20, 2019

    We use a SIEM for event correlation for logs and feeds from a variety of our tools. It helps us quickly pinpoint activity from multiple sources to provide actionable intelligence. We are able to fund part of the cost through the use of compliance reporting replacing the use of other tools that provided compliance reports.

    Sales Specialist with 11-50 employees
    Real User
    Jul 10, 2019

    The main use is for system monitoring and intrusion detection for IT Systems Security.

    reviewer1112577 - PeerSpot reviewer
    Director Civilian Agencies at Securonix Solutions
    Real User
    Jul 8, 2019

    Taking any data and correlating interesting events and automating remediation actions with continuous learning. The old SEM or SIEMS are claiming this but there is only one true Gartner Visionary Cloud SIEM with “one platform” that scales at near real speeds via big data and open AI.

    Related Questions
    Shibu Babuchandran - PeerSpot reviewer
    Regional Manager/ Service Delivery Manager at ASPL INFO Services
    Nov 17, 2022
    Hi community,  I am a Service Delivery Manager at a medium-sized tech services company. I am researching PSIM (Physical Security Information Management). What are the main use cases and benefits of products that fall under this category? Thank you for your help.
    See 1 answer
    Principal Consultant Cyber Security at Servian
    Nov 17, 2022
    Physical security of an information management system assures security by implementing protective controls to a location that hosts your most confidential data. For example, when you access data centers physically to access servers, storage, routers, switches, etc. Similarly, when you are accessing the location (warehouse, IT department, finance or HR department) with malicious intentions to discover the possibility of a targeted attack which could be by inserting the infected USB drive, stealing confidential documents, taking pictures, finding the ways to access the data centers from elevators to the reception to the data center. ISO27001:2013 explains in detail what protective controls must be there to ensure physical security like access cards, port security, identification, CCTV, Biometrics, preventing WIFI access outside the location, fire alarm system, assembly points, etc.
    Evgeny Belenky - PeerSpot reviewer
    Director of Community at PeerSpot (formerly IT Central Station)
    Aug 5, 2022
    Hi dear professionals, Can you share with the community 2-3 top pain points you've been experiencing during the Security Information and Event Management (SIEM) solution purchase? How have you been able to overcome them, if at all? Thanks for sharing your knowledge with other peers.
    See 2 answers
    CEO at a tech consulting company with 1-10 employees
    Jun 30, 2022
    1. License models are not communicated transparently which makes planning complicated. You have to talk to multiple people at multiple vendors in several meetings to fully understand the cost scaling factors. That is quite time-consuming. You can overcome this when you just dictate price limits - yes you can actually do that. 2. Planning and conducting a PoC can be a challenge. Depending on how a PoC process is being setup by the vendor. You can overcome this if you ask for the PoC Procedure Plan right from the initial contact with the vendor and use it for internal planning.
    Jairo Willian Pereira - PeerSpot reviewer
    Information Security Manager at a financial services firm with 5,001-10,000 employees
    Aug 5, 2022
    Volume versus costs.Using an intermediate (free) tool to store, transform data and  forward only the sumarization (smartdata) of what really matters.
    Related Articles
    Navcharan Singh - PeerSpot reviewer
    Senior Seo Executive at Ace Cloud Hosting
    Oct 7, 2022
    Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
    Evgeny Belenky - PeerSpot reviewer
    Director of Community at PeerSpot (formerly IT Central Station)
    Jul 5, 2022
    Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
    Evgeny Belenky - PeerSpot reviewer
    Director of Community at PeerSpot (formerly IT Central Station)
    Apr 4, 2022
    Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
    Evgeny Belenky - PeerSpot reviewer
    Director of Community at PeerSpot (formerly IT Central Station)
    Mar 18, 2022
    Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
    Evgeny Belenky - PeerSpot reviewer
    Director of Community at PeerSpot (formerly IT Central Station)
    Mar 4, 2022
    Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
    Related Articles
    Navcharan Singh - PeerSpot reviewer
    Senior Seo Executive at Ace Cloud Hosting
    Oct 7, 2022
    SIEM vs. Firewall
    Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
    Evgeny Belenky - PeerSpot reviewer
    Director of Community at PeerSpot (formerly IT Central Station)
    Jul 5, 2022
    Community Spotlight #17
    Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summ...
    Download Free Report
    Download our free IBM QRadar Report and get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    656,474 professionals have used our research since 2012.