Why SIEM?
Forty-four percent of respondents say real-time threat detection is a top reason they use SIEM, turning to it to identify potential attacks and policy violations as they happen. This lets security teams respond faster, helping stop attacks at the outset, and reduce damage and recover faster when attacks happen.
A quarter of respondents say "meeting compliance requirements" is the top reason they use SIEM. The Payment Card Industry Data Security Standard, which sets security requirements for handling credit card data, requires companies to review logs daily, including logs from security products such as intrusion-detection systems. SIEM products with strong log management and review capabilities can help companies meet this requirement. Many SIEM products also provide out-of-the-box compliance reporting for regulations and mandates such as HIPAA.
SIEM products must integrate with other security devices, reporting systems, and enterprise management products. Open APIs and SDKs facilitate interoperability. When asked about the tools they integrate with SIEM products, respondents' top responses were network/application configuration management, help/service desk, and performance management.
It's not surprising that configuration management is at the top, given the need for visibility into patch, policy, and compliance information, particularly with regard to vulnerability analysis. Help desk and service desk integration is also sensible, because events and investigations that SIEM products trigger are likely to be logged as tickets within these systems.
Data Deluge
Events and log data from a variety of sources feed SIEM products. Firewalls, application servers, and database servers are the top three sources of event data, respondents say. We were surprised to see intrusion-detection and intrusion-prevention systems listed sixth as these products provide a stream of alarms, notifications, and other data. In fact, SIEM emerged partly as a response to the difficulties that IT and security teams were having in extracting actionable data from reams of IDS and IPS events. One explanation may be that respondents selected "firewalls" as a stand-in for security devices such as unified threat management systems that combine multiple capabilities, including intrusion detection, into a single appliance.
Log management also is now part of many SIEM products. It's not intended for real-time analysis. Instead, it provides a method for forensic analysis of incidents through a normalization of different data sources. Log management also provides a central repository for logs to be stored and archived. While SIEM products may offer some log management capabilities, there is also a variety of products dedicated specifically to log management. In our survey, log management fell somewhere in the middle of the pack in regard to important features. This may indicate that many companies handle log management separately from a SIEM product.
Event and log data that SIEM gathers and searches is likely being stored in a database. Some products use mainstream relational databases, while others have created customized versions of commercial databases. Proprietary databases are another option, often optimized for speed, but possibly with a database schema that isn't open or published. Additionally, vendors may choose nondatabase methods (such as Splunk) that are optimized to speed analysis and correlation. With many customers keeping security data for years, SIEM installations and integrations can even cross over into data warehousing. IT and security pros evaluating these products should examine the underlying database technologies being used to ensure that they're the right fit.