Security Information and Event Management (SIEM) is a set of tools and services offering a holistic view of an organization’s information security.
SIEM tools provide:
- Real-time visibility across an organization’s information security systems.
- Event log management that consolidates data from numerous sources.
- A correlation of events gathered from different logs or security sources, using if-then rules that add intelligence to raw data.
- Automatic security event notifications. Most SIEM systems provide dashboards for security issues and other methods of direct notification.
SIEM works by combining two technologies: a) Security information management (SIM), which collects data from log files for analysis and reports on security threats and events, and b) security event management (SEM), which conducts real-time system monitoring, notifies network admins about important issues and establishes correlations between security events.
The security information and event management process can be broken down as follows:
- Data collection – All sources of network security information, e.g., servers, operating systems, firewalls, antivirus software and intrusion prevention systems are configured to feed event data into a SIEM tool.Most modern SIEM tools use agents to collect event logs from enterprise systems, which are then processed, filtered and sent them to the SIEM. Some SIEMs allow agentless data collection. For example, Splunk offers agentless data collection in Windows using WMI.
- Policies – A profile is created by the SIEM administrator, which defines the behavior of enterprise systems, both under normal conditions and during pre-defined security incidents. SIEMs provide default rules, alerts, reports, and dashboards that can be tuned and customized to fit specific security needs.
- Data consolidation and correlation – SIEM solutions consolidate, parse and analyze log files. Events are then categorized based on the raw data and apply correlation rules that combine individual data events into meaningful security issues.
- Notifications – If an event or set of events triggers a SIEM rule, the system notifies security personnel.
SIEM and PCI DSS compliance
SIEM tools can help an organization become PCI DSS compliant. This security standard reassures a company’s customers that their credit card and payment data will remain safe from theft or misuse.
A SIEM can meet the following PCI DSS requirements:
- Unauthorized network connection detection – PCI DSS compliant organizations need a system that detects all unauthorized network connections to/from an organization’s IT assets. A SIEM solution can be used as such a system.
- Searching for insecure protocols – A SIEM is able to document and justify the use of an organization’s permitted services, protocols and ports, as well as document security features implemented for insecure protocols.
- Inspect traffic flows across DMZ – PCI compliant organizations need to implement a DMZ that manages connections between untrusted networks (e.g., the internet) and a web server. Additionally, inbound internet traffic to IPs within the DMZ need to be limited while outgoing traffic dealing with cardholder details must be evaluated.
SIEM solutions can meet these requirements by inspecting traffic that flows across the DMZ to and from internal systems, and by reporting on security issues.