What Is SIEM Used For?

SIEM is one of the fastest trending topics on IT Central Station. Why do companies need to purchase SIEM?

Is it due to compliance reporting, system monitoring, intrusion detection, or something else? Why is it so important?

    Thanks for helping your peers cut through vendor hype and make the right decision.

    Miriam Tover - PeerSpot reviewer
    Service Delivery Manager at PeerSpot
    • 12
    • 533
    PeerSpot user
    17 Answers
    Head System /Solution Architect at sorfert
    Real User
    Jul 14, 2019

    SIEM provides real-time analysis of security alerts generated by applications and network hardware.
    It’s important as it’ll be the centralized point where to get security event report of all the infrastructure and the place where to take the first action.

    You can buy it as a software there’s a lot of solution, but you need a security analyst to follow it, or you can buy it as a service.

    Search for a product comparison in Security Information and Event Management (SIEM)
    it_user970365 - PeerSpot reviewer
    Cybersecurity Practice Lead at a tech services company with 201-500 employees
    Real User
    Jul 9, 2019

    The answer is: all of the above.

    From a technical point, if you have a lot of sources that generate security alerts/events, you will need a SIEM to help you manage these alerts (collect, analyze, correlate, etc) and determine how you can respond to them appropriately. Having this system will make it a lot easier for your team to identify and respond to incidents.

    From the business view, it does support with preventing downtime due to incidents, identify problem areas in the network, even understand how the network and people operate normally on a daily basis. And depending on your company's industry (i.e. Finance, Telco), SIEMs are required for regulatory or industry standards. In some countries, banks are required to have a SIEM for the security of their network systems.

    Though SIEMs seem to be a necessity with what it can do, it may not be for everyone. Small companies/networks may not generate many alerts/events so SIEMs will not be helpful. Also, consider the cost and operation of a SIEM. If you have a small network yet require SIEM for compliance, you may be better off with SIEM as a service.

    CIO at Robusta Technology & Training
    Real User
    Jul 9, 2019

    A SIEM system provides real-time analysis of security alerts generated by applications tools, platform, network hardware, Virtual Network, Physical Servers or Workstation, and Virtualization VMs.
    This term is somewhat of an umbrella for security software packages ranging from Log Management Systems to Security Log / Event Management, Security Information Management, and Security Event correlation.

    We often divided into three groups of tools:
    Group 1: collecting information, even real time, analyzing basic data in place (usually configuration information, software information, copyright) as a basis for fixed asset control information.
    Group 2: In addition to the information collection feature, it also analyzes quickly, assesses the error status, incident information, records events and also monitors consoles, remote or has integrated tickets for KB, troubleshoot, chat conference, ITIL / IT Helpdesk platform.
    Group 3: Integrating IPS, IDS, firewall, net flow, Squid proxy to help system log analysis, SSO Authenticate log, transaction log for server email, weblog, DC log, etc.
    Therefore, depending on the needs of the enterprise, we choose the tools to suit each group, for example: Spiceworks, Manage Engine, SolarWinds Security Event Manager, Micro Focus ArcSight ESM, Splunk Enterprise Security, LogRhythm Security Intelligence Platform, AlienVault Unified Security Management, RSA NetWitness or IBM QRadar, VM Tubornomic, VeeamOne, etc.

    Systems Analyst at bercell integrated technologies
    Real User
    Jul 8, 2019

    A SIEM is an application that allows an organization to monitor network transactions from within their own network and also external sources.

    SIEMs may provide many features, from basic logging of network transactions to alarms, automatic responses/actions to specific events – without the involvement of a human user.
    Also, SIEMs may be acquired through ownership of the application or as a service. Supporting your own SIEM requires extensive security knowledge and 24 hours availability. As a service, the SIEM requires help with the configuration, periodic input with changes and adjustments, yet not a specific security knowledge or available people 24 hours a day. The cost varies based on features, service, support, and technologies.

    While SIEMs are available on local servers within the organization, they are also available from the cloud. The cloud environment may be a more flexible and cost-effective option.

    The SIEMs have at least two (2) main purposes: security and compliance reporting. Examples for security: external security breach attempts, internal data breaches, malware prevention, etc. Examples of compliance reporting: an organization may not be able to report anything regarding compliance if the organization is not aware of the transactions that occur on their network(s). There are other reasons why an organization may employ a SIEM, and these are addressed by additional features provided by the application.

    The SIEM application is only one component that should be considered when addressing security and compliance requirements. Employing a SIEM by itself will not be a complete solution for the present security and privacy requirements. The SIEM should be considered as part of the solution, together with the following products or services:
    - Policy and Governance (GRC applications/solutions)
    - Vulnerability Risk Assessment
    - Log retention (certain privacy and security legislation/policies ask for log history for compliance)
    - Remediation services (once a security event happens – example a data breach, the network environment has to be restored to a safe original state); a SIEM provides the proper knowledge of what happened using forensic analysis on the logs generated and therefore helps in restoring the network environment to a safe state faster.
    - Reporting and notifications in cases when a security breach happens.
    - User training within consistent intervals (for example, once a month) – through automated training and at least twice a year, teacher assisted.

    All the above are components of a complete solution. Considering, employing and preparing for each of these components assures an organization the value of their investment.

    President, Managing Member with 51-200 employees
    Jul 8, 2019

    I try to relate SIEM to a person’s life to help to understand. Here’s how I explain:

    What is SIEM:
    * Security is mostly focused on “building a fence” around our IT environment with a combination of hardware and software solutions.
    * That “fence” is being hit constantly by both legitimate users entering our IT environment and those trying to penetrate that have bad intent.
    * SIEM deployed at the monitor/triage level is how we watch the “fence” to ensure that there are no holes that have opened, and no one has gone through a hole or around our “fence” that shouldn’t be allowed into our environment.
    * Alerts from SIEM applications need to be triaged by individuals who understand what they are seeing in the alerts.
    * Most alerts represent a legitimate business or non-threatening activity.
    * Alerts that are not legitimate or dangerous are then handled appropriately. I recommend an escalation matrix that directs the type of response based on the type of threat, the impact of the machine(s)/device(s) affected, the risk of propagation in the environment and the impact to operations.
    * SIEM, for the most part, is a reactive process but, it also identifies risk areas that should be acknowledged in a risk log and/or addressed with a proper solution.

    * Compliance requirements are typically dictated by the type of business being conducted and requires careful analysis of any Federal, State, Local, International or other agency/association requirements.
    * Utilizing SIEM to keep your “fence” in good health helps show that you are exercising sufficient “duty of care” in case you do have a breach and are sued.
    Cost Decision:
    * Any spending beyond a regulator requirement for security spending should have a risk/cost analysis.
    * Spend too much and hurt your ability to be financially viable. Spend too little and risk losing your business.
    * The decision is similar to how one might handle personal healthcare, nutrition, and physical training. I find that businesses tend to invest in security much like people invest in their health:
    * Regulated Business/High Performance/High Risk:
    * Pro Athlete: 100% medical coverage, nutritionist prepared training diet, private personal trainer.
    * Strong/Successful/Growing Business/Medium Risk:
    * Moderately Fit Lifestyle: Medical with a deductible, usually eats healthy, works out on regularly own or in group classes at the gym.
    * Newer/Smaller Business/Low Risk:
    * Casual Lifestyle: Medical with deductible, diet varies (sometimes focused sometimes not), casual activity, occasional gym.
    * Low Margin/Income Business/Bankruptcy is the alternate plan for any major business challenges:
    * Sedate Lifestyle: No medical insurance, diet varies, casual activity.

    My website is being rebuilt and doesn’t reflect anything about our security services (or much else). I get all of my business from referrals and haven’t touched it in about 7 years. It’s getting a complete rebuild now because we are adding a client portal and bolting on a new front end at the same time that actually looks professional. not be copied or distributed without this disclaimer.

    Senior Network Engineer at a government with 5,001-10,000 employees
    Real User
    Top 5
    Jul 8, 2019

    Security Incident and Event Management (SIEM) is an automated way to detect patterns that might indicate a security incident. Usually, the SIEM product will collect logs from all the networking devices and resources in an environment, and use AI or other logic to correlate them and identify potential attacks. For example, a former employee might log in to the network, plus there is a failed access to a database using the same credentials. A SIEM can identify that as a suspected attack. The virtue of a SIEM is in its ability to spot these correlations. That is why it is good.

    If your organization has a robust security department SIEM could be a good tool to have. It also may be required by audit. It would also be useful in the clearance space where defense and spy agencies may be subject to a hostile cyber attack. Engineering companies like Boeing or Rolls Royce would certainly need such a tool to identify attacks from rogue states such as China and Russia who are known to sponsor the theft of intellectual property from other nations. It requires someone at the organization to be trained on the SIEM and dedicated to monitoring it. Otherwise, it is of limited value except for audit requirements.

    Learn what your peers think about Devo. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
    734,678 professionals have used our research since 2012.
    ISO (Information Security Officer) with 10,001+ employees
    Real User
    Jul 8, 2019

    It is so important because it will enable you to have this single pane of glass view onto all the security-related information from your infrastructure and even beyond. Getting an idea about the big picture is really essential for everything security, so a SIEM is a right tool to achieve this. Furthermore, it is hard to find (the right) patterns in millions over millions of lines of information without the help of a SIEM, because a SIEM usually provides the necessary algorithms and correlation rules to bring the patterns of a question to your attention. This is also often referred to as "finding the needle in the haystack".

    Security Engineer at Managed Technology Services, LLC fka LexisNexis
    Real User
    Jul 8, 2019

    A SIEM is a tool which sorts logs and alerts on security-related events, customizable for a business’s needs and regulatory compliance requirements. Many certifications like ISO 27001 and SOC 2 require that there be active monitoring of networks and computer systems to ensure data confidentiality, integrity, and availability.

    A good SIEM will update itself with new signatures and behavioral patterns to be able to identify malicious activities and behaviors or threat actors by collating logs from various devices and endpoints on your network. A SIEM can augment and enhance the work done by security analysts in identifying problems and prevent costly, damaging attacks like ransomware outbreaks, theft of intellectual property or financial fraud. They also have the benefit of being online 24/7 where a staff of at least three analysts would be needed to catch the same coverage.

    Though a SIEM is primarily designed to catch security-related events, they can also be customized to monitor applications such as SQL or Financial software and alert on specific events such as disks being full, RAM usage or network outages.

    Information Security Manager at a comms service provider with 1,001-5,000 employees
    Real User
    Jul 8, 2019

    SIEM is needed for compliance reporting, system monitoring, intrusion detection, and something else. Based on my knowledge and experience in this area I will list the drivers for purchasing a SIEM based on priority as follows:

    1. Monitoring different types of cybersecurity hacking attempts from outsiders and insiders.

    2. Early detection of security hacking attempts and as a result, a prompt response is initiated.

    3. Testing the effectiveness of all type of security controls in place such as network firewalls, IPSs, WAF, AV, DLP, etc.

    4. Visibility of all layers of traffic on different network segments.

    5. Reporting non-compliance issues.

    6. Early detection of existing vulnerabilities in systems.

    7. Security intelligence from SIEM vendor and other vendors in the network because logs are correlated into the SIEM.

    8. Helping business people and improving quality assurance effectiveness by building customized rules on the received logs.

    9. Others such as log retention, log management, and forensics.

    Principal - Emerging Technologies / Industrial IoT Solutions at AT&T
    Real User
    Jul 8, 2019

    Primarily, SIEM has been implemented in response to governmental compliance requirements. Similarly, many companies decide to implement SIEM to not only protect sensitive data but also to demonstrate proof that they’re doing so while meeting their compliance requirements.

    A failed audit could have catastrophic results of the loss of business and employees, in addition to hefty fines. For these reasons, many companies regularly complete their own internal audit to validate and verify that they are meeting these requirements. With SIEM, this is totally avoidable.

    Security Solutions Consultant at Cognizant
    Real User
    Jul 8, 2019

    SIEM is the intelligence to identify 'security incidents' from every-day events. These events might be logged in infinite locations and systems. SIEM is a detect control mechanism that attempts to co-relate data logs available at all sort of places to be able to spot transgressions.

    Business Developer Manager CyberSecurity Solutions at IBM
    Real User
    Jul 8, 2019

    New generation SIEM such as IBM QRadar helps the company to get a single dashboard where they can see whatever is succeeding in their IT environment. This is really useful to let the security team avoid a jump from a console to another for several security pain point products.
    In the case of an advanced SIEM like IBM Qradar, we can stand that, using its embedded correlation rules, QRadar can literally call the attention of the security analysts only on verified offenses, saving their time.
    This is crucial especially for complex attack or APT where it will be very difficult to see the attack while it is establishing. The option to have AI help the analyst is another crucial help for them to help in a very fast interpretation of what is happening and to let them block the attack and avoid its repetition.
    Obviously, the compliance report will be a gift after the adoption of the systems, the only point of attention will be to let the SIEM ingest all the sources of logs and flows you want to control.

    Information Technology Security Analyst with 11-50 employees
    Jan 21, 2020

    SIEM shows real-time analysis of security alerts generated by applications, Internet, user actions and network activity.
    It is a central location to observe events on your network and to mitigate. You should tailor your needs when choosing. For example if you are an SMB, you should chose a smaller model, if a huge corp. then a larger one. An analyst can manage a smaller solution but a larger company might consider a SaaS. Professional Services and Training with great support is my recommendation.

    Consultant at Splunxter, Inc.
    Real User
    Jul 9, 2019

    SIEM = Security Information and Event Management. It is any tool that monitors a computer system or network for intruders and generates notable events that security analysts sort through and respond to. The king of these is Splunk and my company, Splunxter.com are experts at Splunk Professional Services of all kinds.

    CTO at a tech company with 11-50 employees
    Real User
    Top 10
    Aug 20, 2019

    We use a SIEM for event correlation for logs and feeds from a variety of our tools. It helps us quickly pinpoint activity from multiple sources to provide actionable intelligence. We are able to fund part of the cost through the use of compliance reporting replacing the use of other tools that provided compliance reports.

    Sales Specialist with 11-50 employees
    Real User
    Jul 10, 2019

    The main use is for system monitoring and intrusion detection for IT Systems Security.

    reviewer1112577 - PeerSpot reviewer
    Director Civilian Agencies at Securonix Solutions
    Real User
    Jul 8, 2019

    Taking any data and correlating interesting events and automating remediation actions with continuous learning. The old SEM or SIEMS are claiming this but there is only one true Gartner Visionary Cloud SIEM with “one platform” that scales at near real speeds via big data and open AI.

    Related Questions
    Content Editor at a tech company with 51-200 employees
    Jul 13, 2023
    Hi community, Why is Security Information and Event Management (SIEM) important for companies? Share your thoughts with the rest of the community.
    See 1 answer
    Content Editor at a tech company with 51-200 employees
    Jul 13, 2023
    SIEM tools are important for companies because they provide a centralized platform for monitoring and managing security events and information and provide:-Improved threat detection and response capabilities-Enhanced visibility into security events and incidents-Efficient log management and analysis-Compliance with regulatory requirements-Streamlined incident investigation and forensic analysis-Real-time alerts and notifications for potential security breaches-Integration with other security tools and systems-Automation of security event correlation and analysis-Reduction of false positives and false negatives-Overall improvement in the company's security posture
    Content Editor at a tech company with 51-200 employees
    Jul 13, 2023
    Hi community, When evaluating Security Information and Event Management (SIEM) Tools, what is the most important aspect to look for? Share your thoughts with the rest of the community.
    See 1 answer
    Content Editor at a tech company with 51-200 employees
    Jul 13, 2023
    The most important aspects to look for when evaluating SIEM Tools solutions are:-Scalability: The ability of the tool to handle a large volume of security events and logs from various sources without compromising performance.-Real-time monitoring and alerting: The tool should provide real-time monitoring capabilities to detect and alert security incidents as they occur.-Log management and correlation: The ability to collect, store, and analyze logs from different sources to identify patterns and correlations that may indicate potential security threats.-Threat intelligence integration: The tool should have the capability to integrate with external threat intelligence feeds to enhance its ability to detect and respond to emerging threats.-Compliance reporting: The tool should provide comprehensive reporting capabilities to meet regulatory compliance requirements and facilitate audits.-User-friendly interface and ease of use: The tool should have an intuitive and user-friendly interface that allows security analysts to easily navigate and perform their tasks efficiently.-Customization and flexibility: The ability to customize and tailor the tool to meet specific organizational needs and integrate with existing security infrastructure.-Automation and orchestration: The tool should have automation and orchestration capabilities to streamline security operations and response processes.-Integration with other security tools: The ability to integrate with other security tools and technologies, such as intrusion detection systems (IDS) and vulnerability scanners, to provide a holistic security monitoring and response ecosystem.-Vendor support and reputation: Consider the reputation and track record of the SIEM tool vendor, including their level of customer support and commitment to product updates and enhancements.
    Related Articles
    Ertugrul Akbas - PeerSpot reviewer
    Manager at ANET
    Jan 24, 2023
    It is important to retain logs for a significant amount of time in order to be able to investigate and analyze past attacks. This allows security teams to identify patterns and trends that can aid in the detection and prevention of future attacks. The retention period will vary depending on the organization's specific requirements and regulations, but it is generally recommended to keep logs ...
    Navcharan Singh - PeerSpot reviewer
    Senior Seo Executive at Ace Cloud Hosting
    Oct 7, 2022
    Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
    Director of Community at PeerSpot (formerly IT Central Station)
    Jul 5, 2022
    Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
    Director of Community at PeerSpot (formerly IT Central Station)
    Apr 4, 2022
    Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
    Director of Community at PeerSpot (formerly IT Central Station)
    Mar 18, 2022
    Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
    Related Articles
    Ertugrul Akbas - PeerSpot reviewer
    Manager at ANET
    Jan 24, 2023
    Features of Today's SIEMs – Requirements for Today’s Attacks and Breaches
    It is important to retain logs for a significant amount of time in order to be able to investig...
    Navcharan Singh - PeerSpot reviewer
    Senior Seo Executive at Ace Cloud Hosting
    Oct 7, 2022
    SIEM vs. Firewall
    Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
    Download Free Report
    Download our free Devo Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
    734,678 professionals have used our research since 2012.