SIEM is a combination of a security information management (SIM) solution specialized for long-term log storage and management and a security event management (SEM) solution centered on real-time correlation analysis and detection. SIEM provides the security operation team or CERT team with prior analysis using correlation analysis rules, reporting on security incidents, and post-analysis through forensics. More information about what is managed SIEM can be found at clearnetwork.com
According to Gartner, SIEM has the following capabilities:
- Log Management: Ability to collect, store, investigate and report log data for incident response, forensics, and regulatory compliance.
- Security Monitoring: Ability to analyze event data in real-time for early detection of targeted attacks and data breaches
- Event Management: Ability to aggregate event data generated by security devices, network infrastructure, systems, and applications
As a recent security trend, CERT conducts not only incident analysis and response, but also threat hunting, which detects and analyzes new threats or attacks, increasing the requirements for the next-generation SIEM.
Improved detection accuracy through correlation analysis
Accurate threat detection is the most important factor to consider when selecting a next-generation SIEM and building an intelligent threat response system. Although many SIEM manufacturers emphasize the expansion and integration of various functions such as fast search and analysis performance, NTA/UEBA, and SOAR as essential elements of next-generation SIEM, the fundamental and most important function of SIEM is accurate threat detection.
When operating SIEM, it is difficult to set the correlation analysis policy, and the problem of event accuracy detected through the correlation analysis policy arises. As a result of interviews with various security control personnel and companies, the average number of daily monitoring responses per person is about 5 to 10 cases.
If you look at the cases of many institutions and companies operating SIEM, thousands to hundreds of thousands of events occur every day through correlation analysis policies. Control personnel cannot handle most events, and these threats act as noise that interferes with the identification, detection, and analysis of real threats.
SIEM uses a correlation analysis function to reduce false positives, and that responds to the flow of time should be provided. If SIEM provides only a simple condition mapping or correlation analysis function that detects threats by setting only critical conditions for conditions, countless noises (false positives) will inevitably occur.
In order to prevent such a problem, correlation analysis on the results of the correlation analysis rather than single correlation analysis, or a linkage analysis or additional correlation analysis on the results of separate correlation analysis is essential. Additionally, it should be possible to increase the threat detection accuracy by managing or reprocessing detection events through scoring for malicious IP tracking and label processing by element technology.
In order to build a more precise and accurate threat response system, it is necessary to be able to detect malicious IPs that attempt step-by-step attacks.
For this, it is necessary to be able to detect a rule in the form of a mind map in one rule according to the flow by time period, rather than a correlation analysis of the condition + threshold method.
Read Also: 9 Ways to Improve Your Small Business Cyber Security
SIEM is a combination of a security information management (SIM) solution specialized for long-term log storage and management and a security event management (SEM) solution centered on real-time correlation analysis and detection. Currently, SIEM products mainly used include a product that stores and manages logs in RDBMS and performs correlation analysis, and a product that performs correlation analysis by attaching an app or dashboard to a product originating from a search engine.
Both methods have their own advantages and disadvantages. Although the RDBMS-based product has a relatively strong correlation analysis function, it is not suitable for managing a large number of logs. Search speed is slow and unrestricted performance scaling through clusters is difficult. Search engine-based SIEM is excellent in log management and search, but relatively weak in correlation analysis.