While security information and event management (SIEM) solutions have been around for over a decade, and have evolved significantly over that time, the core functionality still acts as the most effective foundation for any organization’s technology stack.
The core set of capabilities for a SIEM solution includes data collection, parsing (or normalizing) data, and correlating that data to identify suspicious or problematic activity. This processing and enrichment of data enables all forms of data analysis and can have a direct impact on how effectively an organization can search and access its data. SIEM tools are an important part of the data security ecosystem they aggregate data from multiple systems and analyze that data to catch abnormal behavior or potential cyberattacks. SIEM tools provide a central place to collect events and alerts – but can be expensive, resource intensive, and customers report that it is often difficult to resolve problems with SIEM data.
Data collection
All sources of network security information, e.g., servers, operating systems, firewalls, antivirus software and intrusion prevention systems are configured to feed event data into a SIEM tool.
Policies
A profile is created by the SIEM administrator, which defines the behavior of enterprise systems, both under normal conditions and during pre-defined security incidents.
Data consolidation and correlation
Events are then categorized based on the raw data and apply correlation rules that combine individual data events into meaningful security issues.
Notifications
If an event or set of events triggers a SIEM rule, the system notifies security personnel.