Security Information and Event Management (SIEM)

What is SIEM

Security Information and Event Management (SIEM) is a set of tools and services offering a holistic view of an organization's information security.

SIEM tools provide:

  • Real-time visibility across an organization's information security systems.
  • Event log management that consolidates data from numerous sources.
  • A correlation of events gathered from different logs or security sources, using if-then rules that add intelligence to raw data.
  • Automatic security event notifications. Most SIEM systems provide dashboards for security issues and other methods of direct notification.

SIEM works by combining two technologies: a) Security information management (SIM), which collects data from log files for analysis and reports on security threats and events, and b) security event management (SEM), which conducts real-time system monitoring, notifies network admins about important issues and establishes correlations between security events.

The security information and event management process can be broken down as follows:

  1. Data collection - All sources of network security information, e.g., servers, operating systems, firewalls, antivirus software and intrusion prevention systems are configured to feed event data into a SIEM tool.

    Most modern SIEM tools use agents to collect event logs from enterprise systems, which are then processed, filtered and sent them to the SIEM. Some SIEMs allow agentless data collection. For example, Splunk offers agentless data collection in Windows using WMI.

  2. Policies - A profile is created by the SIEM administrator, which defines the behavior of enterprise systems, both under normal conditions and during pre-defined security incidents. SIEMs provide default rules, alerts, reports, and dashboards that can be tuned and customized to fit specific security needs.
  3. Data consolidation and correlation - SIEM solutions consolidate, parse and analyze log files. Events are then categorized based on the raw data and apply correlation rules that combine individual data events into meaningful security issues.
  4. Notifications - If an event or set of events triggers a SIEM rule, the system notifies security personnel.

Security Information and Event Management Tools

There are a number of security information and event management solutions on the market. Arcsight ESM, IBM QRadar and Splunk are among the most popular.

ArcSight

ArcSight collects and analyzes log data from an enterprise's security technologies, operating systems and applications. Once a malicious threat is detected, the system alerts security personnel.

ArcSight can also start an automatic reaction to stop the malicious activity. Another feature is the ability to integrate third-party threat intelligence feeds for more accurate threat detection.

IBM QRadar

IBM QRadar collects log data from sources in an enterprise's information system, including network devices, operating systems, applications and user activities.

The QRadar SIEM analyzes log data in real-time, enabling users to quickly identify and stop attacks. QRadar can also collect log events and network flow data from cloud-based applications. This SIEM also supports threat intelligence feeds.

Splunk

Splunk Enterprise Security provides real-time threat monitoring, rapid investigations using visual correlations and investigative analysis to trace the dynamic activities associated with advanced security threats.

The Splunk SIEM is available as locally installed software or as a cloud service. It supports threat intelligence feed integration from third-party apps.

SIEM and PCI DSS Compliance

SIEM tools can help an organization become PCI DSS compliant. This security standard reassures a company's customers that their credit card and payment data will remain safe from theft or misuse.

A SIEM can meet the following PCI DSS requirements:

  • Unauthorized network connection detection - PCI DSS compliant organizations need a system that detects all unauthorized network connections to/from an organization's IT assets. A SIEM solution can be used as such a system.
  • Searching for insecure protocols - A SIEM is able to document and justify the use of an organization's permitted services, protocols and ports, as well as document security features implemented for insecure protocols.
  • Inspect traffic flows across DMZ - PCI compliant organizations need to implement a DMZ that manages connections between untrusted networks (e.g., the internet) and a web server. Additionally, inbound internet traffic to IPs within the DMZ need to be limited while outgoing traffic dealing with cardholder details must be evaluated.
  • SIEM solutions can meet these requirements by inspecting traffic that flows across the DMZ to and from internal systems, and by reporting on security issues.

SIEM Integration with Imperva Security Solutions

Imperva provides turnkey integration with leading SIEM solutions, including ArcSight and Splunk.

This allows our customers to easily integrate the security data provided by our products into their SIEM platform of choice, where it can be readily accessed and viewed in a broader context.

Incapsula data that has been integrated with a SIEM tool.Incapsula integrated with Splunk.

Imperva SIEM integration is tailor-made to meet your application's security needs, allowing you to cut through the noise and prioritize high-risk threats. At the same time, you'll be provided with actionable insights.

Specific features in our integration packages include customizable rules for security event correlation, options for site-specific threat analysis, a predefined optimized dashboard and more.

Additional information on Incapsula SIEM integration can be found here.

Imperva SIEM integration information can be found here.