SIEM

SIEM (Security Information and Event Management) aggregates and analyses security data from across an organisation's technology environment. It combines Security Information Management (SIM) and Security Event Management (SEM) to provide real-time threat detection, investigation, and compliance reporting.

How SIEM works:

1. Collection: Ingests logs from firewalls, servers, applications, endpoints, cloud services
2. Normalisation: Standardises data from different sources into a common format
3. Correlation: Analyses events across sources to identify patterns and threats
4. Alerting: Generates alerts when suspicious activity is detected
5. Investigation: Provides tools to investigate and understand threats
6. Reporting: Generates compliance and security reports

SIEM data sources:

• Firewall and network device logs
• Server and operating system logs
• Application logs (web servers, databases)
• Cloud service logs (AWS CloudTrail, Azure logs)
• Endpoint protection alerts
• Email security logs
• Identity and access management logs
• DNS and web proxy logs

SIEM platforms:

• Microsoft Sentinel: Cloud-native SIEM integrated with Azure and Microsoft 365
• Splunk: Powerful data analytics and SIEM
• IBM QRadar: Traditional SIEM with strong correlation
• Elastic Security: Open-source based SIEM
• Sumo Logic: Cloud-native analytics and SIEM
• CrowdStrike LogScale: Fast log management with SIEM capabilities

Modern SIEM capabilities:

• Machine learning-based anomaly detection
• User and Entity Behaviour Analytics (UEBA)
• Security Orchestration, Automation, and Response (SOAR)
• Threat intelligence integration
• Automated incident response playbooks
• Cloud-native deployment and scaling

SIEM for mid-market businesses:

• Microsoft Sentinel is cost-effective for Microsoft-centric environments
• Managed SIEM services provide capability without building a SOC team
• Cloud-native SIEMs eliminate infrastructure management
• Start with critical data sources and expand coverage over time