SIEM benefits and features in the modern SOC

Security information and event management technologies have been in use for more than 20 years. SIEM's original purpose was fairly straightforward: moving event log files from disparate servers and other devices to a centralized server for review and analysis.

The SIEM crunched the log data and generated reports on system performance and behavioral benchmarks. Security operations center (SOC) analysts reviewed the reports and ran queries on the SIEM as they investigated suspicious activity.

Since those early years, SIEM functionality has greatly expanded to support the increasing needs and demands of SOCs. Today, SIEMs consolidate and standardize security data from many computing devices, virtual environments, applications, services and other sources. In many organizations, SIEMs also integrate with and complement other tools, such as security orchestration, automation and response (SOAR); extended detection and response (XDR); managed detection and response (MDR) and AI-driven hyperautomation platforms.

While technologies such as SOAR, XDR, MDR, machine learning (ML) and AI provide advanced orchestration, analysis and automated response, organizations still need SIEMs to aggregate and correlate information to feed those advanced tools. Think of the SIEM as a way to unify all of the disparate security data points in an enterprise, allowing a company to achieve a holistic, real-time view of its security environment. Below, let's explore key features and benefits of the modern SIEM.

Key SIEM features

Legacy SIEMs collected and correlated data for analysis by human analysts from relatively simple on-premises environments. In modern enterprises, however, with their complex hybrid environments, distributed networks and abundance of security tools and services, legacy SIEMs create an unmanageable deluge of data and security alerts that human teams can't keep up with on their own.

Modern SIEMs offer key features that help SOC teams more effectively manage security alerts and separate false positives from true threats. They include the following.

• Log management and reporting. A SIEM securely receives and stores copies of device log data from all available sources in a central location. This gives the SOC a single place to review and analyze log data, generate reports and archive that information for long-term reference and evidentiary purposes.
• Event data aggregation and correlation. A cornerstone SIEM feature is the ability to combine and link data from many highly varied sources. Some modern SIEMs also analyze context, such as user and device behavior, IP addresses, geolocations and more. Aggregation and correlation allow SOC analysts to recognize suspicious activity and study a single trail of malicious activity as it moves through the enterprise.
• Threat detection analytics. To detect threats and suspicious events among log event data, SIEMs typically rely on a combination of techniques that includes both signature-based and anomaly-based analysis. A SIEM that connects to external threat intelligence feeds can consider the latest threats and attack trends to further improve detection speed and accuracy. Some modern SIEMs also use behavioral baselines and ML to analyze log data and detect threats.
• Incident detection and automation. A final critical function of modern SIEMs is to identify potential security incidents and determine appropriate responses. A SIEM with weak confidence about a relatively minor incident might trigger an alert that calls for a SOC analyst to review the data. On the other hand, a modern SIEM platform with strong confidence that a major incident is underway might initiate automated containment actions to try to stop the attack in progress.

Key SIEM benefits

Modern SIEMs can provide the following benefits in today's enterprise SOCs.

• Centralized security log management. Automated aggregation and normalization of all security event log data for monitoring, analysis, querying and reporting.
• Real-time visibility. Immediate visibility into and correlation of security events happening throughout the enterprise, across technology types, platforms, geolocations and users.
• More efficient threat detection and incident response. Faster and more accurate detection and characterization of significant cybersecurity threats and incidents. Faster detection enables more efficient containment and eradication of threats and incidents, thus reducing their impact and expediting the return to regular operations. Modern SIEMs that initiate automated containment actions can also directly reduce response times.
• Compliance management support. By offering a centralized repository of security event log data and reporting, a SIEM supports efficient and accurate compliance reporting.

Karen Scarfone is a general cybersecurity expert who helps organizations communicate their technical information through written content. She co-authored the Cybersecurity Framework (CSF) 2.0 and was formerly a senior computer scientist for NIST.