What is SIEM? How Does it Work?

what is siem

SIEM is now a $2 Billion industry, but only 21.9% of those companies are getting value from their SIEM, according to a recent survey.

SIEM tools are an important part of the data security ecosystem: they aggregate data from multiple systems and analyze that data to catch abnormal behavior or potential cyberattacks. SIEM tools provide a central place to collect events and alerts – but can be expensive and resource intensive.

What is a SIEM?

Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your IT infrastructure.

SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate alerts.

how does siem work step-by-step

How Does SIEM Work?

SIEM provides two primary capabilities to an Incident Response team:

  • Reporting and forensics about security incidents
  • Alerts based on analytics that match a certain rule set, indicating a security issue

At its core, SIEM is a data aggregator, search, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates and makes that data human accessible. With the data at your fingertips, you can research data security breaches with as much detail as needed.

Top SIEM Tools

Gartner judges SIEM tools on 3 capabilities: basic security monitoring, advanced threat detection, and forensics & incident response. Vendors address these 3 capabilities differently: Splunk, for example, covers the core security monitoring out of the box, while advanced threat detection is an additional module. Splunk is 100% on-prem, whereas IBM Qradar has a co-managed offering available to outsource some of the resources required to manage a full blown SIEM. Other popular SIEM tools include LogRhythm and Micro Focus ArcSight.

SIEM in the Enterprise

Some customers have found that they need to maintain two separate SIEM solutions to get the most value for each purpose: one for data security and one for compliance – since the SIEM can be incredibly noisy and resource intensive.

Beyond SIEM’s primary use case of logging and log management, enterprises use their SIEM data in several ways. One use case is to help demonstrate compliance for regulations like HIPAA, PCI, SOX, and GDPR.

SIEM tools also aggregate data you can use for capacity management projects. You can track bandwidth and data growth over time to plan for growth and budgeting purposes. In the capacity-planning world, data is key and understanding your current usage and trends over time allows you to manage growth and avoid large capital expenditures as a reactionary measure.

Limitations of SIEM Applications as a Full Data Security Ecosystem

SIEM applications provide limited contextual information about their native events, and SIEMs are known for their blind spot on unstructured data and emails. For example, you might see a rise in network activity from an IP address, but not the user that created that traffic or which files were accessed.

In this case, context can be everything.

What looks like a significant transfer of data could be completely benign and warranted behavior, or it could be a theft of petabytes of sensitive and critical data. A lack of context in security alerts leads to a ‘boy that cried wolf’ paradigm: eventually, your security will be desensitized to the alarm bells going off every time an event is triggered.

SIEM applications are unable to classify data as sensitive or non-sensitive and therefore are unable to distinguish between sanctioned file activity from suspicious activity that can be damaging to customer data, intellectual property, or company security.

Ultimately, SIEM applications are only as capable as the data they receive. Without additional context on that data, IT is often left chasing down false alarms or otherwise insignificant issues. Context is key in the data security world to know which battles to fight.

The biggest issue we hear from customers when they use SIEM is that it’s extremely difficult to diagnose and research security events. The volume of low-level data and the high number of alerts cause a ‘needle in a haystack’ effect: users get an alert but often lack the clarity and context to act on that alert immediately.

How Varonis Complements SIEM

The context that Varonis brings to SIEM can be the difference between a snipe hunt or preventing a major data security breach.

And that’s where Varonis comes in. Varonis provides additional context to the data that a SIEM collects: making it easier to get more value out of a SIEM by building in-depth context, insight, and threat intelligence into security investigations and defenses.

varonis edge monitoring collects with icons

Varonis captures file event data from various data stores – on-premise and in the cloud – to give the who, what, when, and where of each file accessed on the network. With Varonis Edge monitoring, Varonis will also collect DNS, VPN, and web proxy activity. You’ll be able to correlate the network activity with the data store activity in order to paint a complete picture of an attack from infiltration through file access to exfiltration.

Varonis classifies unstructured files based on hundreds of possible pattern matches, including PII, government ID numbers, credit card numbers, addresses, and more. That classification can be extended to search for company-specific intellectual property, discover vulnerable, sensitive information, and help meet compliance for regulated data – and Varonis reads files in place without any impact to end users.

Varonis also performs user behavior analytics to provide meaningful alerts based upon learned behavior patterns of users, along with advanced data analysis against threat models that inspect patterns for insider threats (exfiltration, lateral movement, account elevation) and outsider threats (ransomware).

How Varonis Works with SIEM

Varonis integrates with SIEM applications to give security analytics with deep data context so that organizations can be confident in their data security strategy.

Integration highlights:

  • Out of the box analytics
  • Integrated Varonis dashboards and alerts for streamlined investigation
  • Alert specific investigation pages
  • Critical information highlighted at a glance, with actionable insights and context
  • Integration into your SIEM workflow

Investigating an Attack with Varonis and SIEM

This contextual data that Varonis brings gives security teams meaningful analysis and alerts about the infrastructure, without the additional overhead or signal noise to the SIEM. SOC teams can investigate more quickly by leveraging SIEM with Varonis, and get insight into the most critical assets they need to protect: unstructured data and email.

Investigating a ransomware incident using Varonis DatAlert, for instance, is much faster than looking through the SIEM logs to piece together what happened.

With the added visibility provided by DatAlert, you get an at-a-glance overview on what’s happening on your core data stores – both on-premise and in the cloud. You can easily investigate users, threats, and devices – and even automate responses.

Varonis alerts dashboard

Here, it looks like Hijacked Helen has 21 alerts – something suspicious is going on. You can easily click through to Helen’s alerts to find out what it might be: including a potential malware attack.

varonis alerts dashboard

You can dive into those individual alerts to understand and investigate the situation. In the alert details, it looks like the alerted events have originated from outside our company.

varonis risk assessment insights

Scrolling down the Alert page, you can see that there is one computer involved, and 24 sensitive files have been accessed. Additionally, 10% of all events for this computer occurred outside of Helen’s normal work hours. It sure does look like Helen’s PC is being used by some outsider to access files in the network.

On that same alert page, you can see that the files accessed from Helen’s PC are owned by Payroll Pete – it looks like a hacker is trying to access payroll data.

That’s just the beginning of investigating suspicious behavior and activity with Varonis and your SIEM. DatAlert can kick off a script to disable the user account and shut down the attack as soon as it is first detected – in which case, that hacker might not have been able to get to the payroll files at all!

With the context you have at your disposal, you can quickly and easily respond to – and manage – the alerts that you receive in your SIEM. Security analysts spend countless hours to get meaningful alerts from SIEM: fine-tuning use cases, building rules, and adding in data sources – Varonis gives a head start with 120 out-of-the-box analytics models, intuitive dashboards, and intelligent alerting.

OK, I’m Ready to Get Started!

If you’re already using a SIEM, it’s simple to add Varonis and get more out of your SIEM investment. If you’re looking to start your data security plan, start with Varonis and then add your SIEM.

Once you have Varonis in place, you can then add your SIEM for data aggregation and additional monitoring and alerting. Varonis gives you more initial data security coverage, and adding a SIEM will make Varonis and your SIEM better able to correlate and store data for analysis and auditing.

Want to see more? Click here for a personalized demo to see how Varonis and SIEM work together.

Get the latest security news in your inbox.