SIEM – Security Information & event Management platforms are mature cyber security solutions, often having come from a legacy of application log gathering with the data being used for availability and performance as well as access management, it has been a simple and logical transition into security log gathering and analysis of that data for Indicators of Compromise (IoC) and other suspicious actions that might relate to an attack in progress.
What is SIEM?
A SIEM solutions gathers data from numerous sources, normalises this data by altering its format so that it can be ingested along with other disparate data sources and stores this data, often compressing and preferably deduplicating this information during the process.
A SIEM solution typically is optimised for long term storage, though this storage is normally the method by which the SIEM provider licenses and prices their offerings and can get very expensive for longer term options.
Once the data is stored in a common format, a SIEM will have search tools and methods to import Threat Intelligence (TI) feeds to help Security Operations analysts to perform Threat hunting activities across the collected data.
Summary of SIEM
Security information event management (SIEM) solutions are not designed to provide protection or incident resolution either and will most often need to be used in addition to an Endpoint solution like Endpoint protection and response.
Security Orchestration Automation and Response is typically added to SIEM to provide an automated response capability, SIEM and SOAR are more often being sold together to provide a complete solution. Microsoft Sentinel (formally known as Azure Sentinel) for example is an example of SIEM and SOAR combined to provide the discovery and then response to cyber incidents.
The Australian Cyber Security Centre Essential 8 does not refer to SIEM as a critical control for securing organisations.
SIEM solutions are not suitable for small organisations who do not have a specific SIEM use case and/or specialised Security operations personnel and also not suitable when a business is not looking for historical searching of data etc.
Instead of SIEM look to Endpoint solutions for securing your business.
If you would like to know more about security and Kicksec.io recommendations, please contact us here.