Frequently Asked Questions

What is a SIEM?

To give you the simplest answer, SIEM or Security Information and Event Management is defined as a complex set of technologies brought together to provide a holistic view into a technical infrastructure. Depending on who you talk to, there are about five different popular opinions on what the letters stand for.
Looking at the 10 layered security stack by Michael Oberlaender, with the notion of managing all of it, is enough to make you lose your hair! However, it’s not a train – there is light at the end of the tunnel. That light has come to be known as the SIEM.
The SIEM gives you a holistic, unified view into not only your infrastructure but also workflow, compliance and log management. A SIEM can provide a multitude of capabilities and services efficiently.
At its core, a SIEM provides:

• Event and Log collection: This may come in many forms, especially with in-house applications.
• Layered Centric Views or Heterogeneous: This is usually in the form of dashboards or “views,” referred to as a bird’s-eye view.
• Normalization: a two-part function. This includes translating computerized jargon to readable data to be displayed, and mapping data to user- or vendor-defined classifications/characterizations. This is sometimes referred to as “field mapping.”
• Correlation: This essentially gives the data context and forms relationships based on rules, architecture, and alerts. This should be either historical or real-time.
• Adaptability (Scalable): This dumbs down to being able to speak the language regardless of source vendor, format, type, change or compliance requirement.
• Reporting and Alerting: This may be used to not only show value to executives but also provide automated verification of continuous monitoring, trends, and auditing. Some would argue that the auditing aspect is an essential function but the SIEM alone does nothing – like a retired general with no troops or a SQL instance with no tables or data.
• Log Management: Allowing the capability for storing event and logs into a central location, while also allowing the application of compliance storage or retention requirements. (Again, many would argue this is a separate function, and I would disagree.)

KEY TAKEAWAYS FOR A SIEM

• A “SIEM” is defined as a group of complex technologies that together provide a bird’s-eye view into an infrastructure.
• It provides centralized security event management.
• It provides correlation and normalization for context and alerting.
• It provides reporting on all ingested data.
• It can take in data from virtually any vendor or in-house applications.