What Is SIEM and How Does it Work?

A hidden, lingering threat is a cybersecurity team’s worst nightmare. With security information and event management (SIEM), your team has fewer blind spots when it comes to detecting threats. If you asked a handful of experts for their SIEM definition, you’d get several different unique takes on the market definition. Here’s ours, along with how SIEM benefits organizations like yours.

SIEM solutions provide centralized insight into the IT environment and, sometimes, operational technology (OT). At a high level, a SIEM system turns data into insights your team can act on by:

  • Ingesting a vast amount of event data from across the enterprise, including on-premises and cloud-based data;
  • Applying real-time analytics to sort related events into prioritized alerts; and
  • Handing alerts up to a SOAR solution to trigger incident response playbooks.

What Value Does a SIEM System Bring?

When it comes to cutting down on the impact of an attack, time is of the essence. It can take an average of 207 days to find and 73 days to contain a breach, according to the Cost of a Data Breach Report 2020. The research shows respondents that contained a breach in less than 200 days saved $1 million on average compared to those that took more than 200 days.

The faster a threat is detected, the better. That is where a SIEM system comes into play. A SIEM can reduce the time to find, research and respond to incidents and mitigate the business impact of a data breach. It helps get the best out of the people in the security operations center (SOC) and amplify their reach. It can also cut down on risk by aligning with regulatory compliance mandates.

Learn more on SIEM

How Has SIEM Evolved Over Time?

The rise of SIEM technology is quite a story. Let’s take a look at the highlights before jumping to the present and future of SIEM. At the very beginning, security teams read log data and then collected logs. When that type of log management was no longer sufficient, security information management (SIM), which allowed for basic searching, was born. Security event management (SEM) was the second iteration of the product, which aggregated and correlated events from multiple systems. A third evolution was catalyzed by the need for organizations to comply with regulations and detect more advanced threats.

Since the inception of SIEM in 2005, the adoption of cloud, an ever-evolving threat landscape and other factors have triggered invention and growth in the SIEM market. A solution that once was meant to defend against solo attackers and basic malware via log collection has evolved to detect advanced persistent threats (APTs) from nation-state attackers and other bad actors.

A few of the biggest changes have included adding SIEM in with threat intelligence feeds, user behavior analytics and the addition of artificial intelligence (AI) and machine learning. As SIEMs evolved, they became more important to efficient incident response plans. SIEMs now provide SOAR platforms with the data to both launch investigations and assist with them.

The Right Systems for Today’s SOC

Here’s a closer look at the SIEM functionality that helps SOCs achieve their four goals: visibility, detection, investigation and escalation to response platforms.


SIEMs can correlate data from across an entire attack surface — from user, endpoint and network data to firewall logs and antivirus events. Whether on-premises or in the cloud, SIEM products provide a view into this data in a single pane of glass. For context, on average, SOCs deploy more than 45 solutions and use 19 different tools when responding to an incident. The streamlined view provided by a SIEM can help reduce the glut of tools these are up against.

Hybrid Multicloud Visibility

As more organizations transition to the cloud and leverage more and more cloud-native services, attackers are shifting their focus and investment there as well. Those that have hybrid multicloud environments (and many do) have a much stronger defensive posture when they are able to connect data from all platforms in their SIEM system.

Network Visibility

SIEMs can play a key role in detecting when something on a network behaves strangely. As Jon Oltsik of ESG explains in SIEM and NDR: Better Together, the mix of SIEM and network detection and response (NDR) helps security teams improve threat detection and response by gathering suspicious network and system-level data into alerts.

Threat Detection

Once teams have their data in one place, it becomes easier for them to detect threatening behavior and abnormal patterns.

SIEMs can be used to detect zero days and other high-profile exploits such as those targeting SolarWinds Orion or Microsoft Exchange. A SIEM can let SOC teams detect slight changes in how a network, user or system behaves. Such changes may be signs of malicious insiders, compromised IDs or APTs.


Once a threat is detected, SIEMs can leverage automated investigations and data enrichment for further research. These functions help reduce manual tasks, freeing people up to spend their valuable time on threat hunting and incident response. In one example, a SOC cut investigation from three hours to three minutes with the help of an AI SIEM to weed out false positives. Especially with the skills shortage predicted to reach 3.5 million open cybersecurity positions in 2021, efficiently digging into threats is critical.


When a SIEM detects a potential threat, it delivers that event data in real-time to the SOC team for a further look. Alerts, suspicious events or incidents discovered by the SIEM can trigger this manually or via automation. Oftentimes, response teams leverage data from SIEMs to look into incidents as part of processes defined within a SOAR tool’s playbooks.

This way, teams can shift from reactive to proactive. Running standard detection and response execution with playbooks and guided workflows also helps teams build a proven incident response program.

What Kinds of Threats Can a SIEM Detect?

The list is endless. Organizations can monitor for threats that span the entire MITRE ATT&CK chain. There are many more, but let’s discuss ransomware, nation-state APTs, insider threats and phishing.


Ransomware surged to be the top threat type in 2020, comprising 23% of the incidents studied in the latest X-Force Threat Intelligence Index. Bad actors like Sodinokibi are profiting in the millions of dollars by combining ransomware with extortion. High-profile targets for ransomware include industries with low tolerance for downtime, like the manufacturing, energy and health care sectors.

A SIEM uses analytics to identify potential ransomware incidents. This can include connection to malicious internet addresses, monitoring for anomalies in file access and unusual lateral communications.

Nation-state attacks and APTs

Nation-state APTs are attacks often carried out by highly capable, well-equipped threat actors, often with specific targeted actions. These attackers tend to operate ‘low and slow,’ causing the threats to be less obvious and harder to detect.

SIEMs can integrate with real-time threat intelligence feeds to ensure that SOC teams focus on critical events and have knowledge of the most up-to-date indicators of compromise (IoCs) before an advanced attack spreads.

Insider threats

Insider threats occur when users use real access to company assets to cause harm to the business, either with malicious intent or by accident.

Knowing your users, what they’re doing and their patterns is key. Any strange shifts in these areas can indicate a security incident. SIEMs can aggregate data from each user from many sources and use that data to create a baseline profile of a certain user. A user behaving differently from their previous behavior or from their peer group can cause a SIEM to assign a risk to that user and flag the suspicious behavior for a further look. Oftentimes, machine learning is used for this type of user analytics.


In 2020, phishing was the second most prevalent initial access vector found by IBM Security X-Force.

While many organizations encourage their users to stay vigilant, a typical attack might deliver an email to a victim that looks authentic, enticing them to click on a malicious attachment or link. A SIEM can help teams detect important indicators of phishing, such as suspicious email subject lines, potential data leakages, abnormal behavior from inbound and outbound emails and communication with known hostile hosts.

How to Choose a SIEM Product

What factors can buyers consider when looking for SIEM products? Beyond the core functions of a SIEM, you should keep in mind how the solution will scale with your business, its ease of integration and how quickly the time-to-value measures up.

Buyers can ask themselves:

  • Does the solution provide out-of-the-box security content and use cases? SIEMs that offer out-of-the-box use cases and detections in addition to the ability to customize enable organizations to realize value from their investment right away. Finding a solution that doesn’t require knowledge of multiple query languages can help with staffing.
  • Does the solution support compliance regulations worldwide? This support can help you meet breach disclosure requirements within the timeframes required by law. Some SIEMs offer pre-built reports and rule templates.
  • Does the solution offer flexible deployment options? Is the solution delivered on cloud? On-prem? Both? The Forrester Wave: Security Analytics Platforms, Q4 2020, states, “As enterprises have moved their own workloads to the cloud to take advantage of its scale, flexibility, and availability, security vendors have finally started to follow suit with cloud-based delivery of their security analytics solutions.” However, every use case has unique needs, and it’s important to choose an option that can meet them.
  • Does the solution align to industry frameworks? If your team uses industry frameworks like MITRE ATT&CK, make sure they are part of the tool.

What’s Next?

The core intelligence provided to users by their SIEMs is here to stay. SIEMs will face the challenges of needing to be simple to use while being flexible enough to adapt to the latest threats and evolving needs. As other tech and tooling changes, the way SIEM works with them and handles content will also need to evolve. In order to stay relevant, SIEMs will have to easily integrate with other tools.

While SIEMs have in the past mostly focused on detection, moving forward, the SIEM workflow will need to expand to more tightly align incident detection with response.

While SIEMs bring a lot of value to SOC teams, they also rely on other tools such as endpoint detection and response (EDR) and NDR. In a continued effort to make the job more streamlined, the industry is now shifting toward uniting these tools into extended detection and response (XDR).

XDR extends visibility across networks, endpoints and security events. This is very similar to SIEM. For that reason, we’ll likely see SIEM and XDR tools working more and closely together within some SOCs and even combined by some vendors.

SIEM has a long and rich history of providing value and driving business outcomes. With new and exciting XDR capabilities on board, the two together will have an exciting impact on the way we combat threats in the future.

The post What Is SIEM and How Does it Work? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Wendy Willner