Security Incident and Event Management (SIEM) Overview

Security Incident and Event Management (SIEM) Overview

Starting from the top, a Security Operations Center (SOC) is in charge of proactively keeping company assets safe, such data stored on a company's network. One such tool for the SOC to do their job is to use a Security Incident and Event Management (SIEM) tool. SIEM collects data from a 1) wide variety of sources in 2) wide variety of formats - to enable a real time view and broad analysis of past data. SIEM is more about collecting, indexing, tagging, contextual mining than it is about security per se. That is why Splunk (a logging collection and analytics platform) is a leader in the Gartner SIEM MQ. 

Sources of data to SIEM: 

• Endpoint (EP)
• Firewall (FW)
• Intrusion Detection System (IDS)

Types of data sent or accessible to SIEM:

• events
• messages
• logs

Types of actions from SIEM:

• alert
• analysis
• reporting

At the bottom, I have listed Security Orchestration, Automation and Response (SOAR) as a receiver of SIEM alerts, and SOAR can provide automated responses to the alerts. SIEM alerts can also be fed to User Entity and Behavioral Analysis (UEBA) to leverage the power of AI/ML to find threats.