What is SIEM? How does it work? What are the types?

 SIEM is a software tool that collects and analyzes activities from many different sources across the entire IT infrastructure. SIEM is short for Security Information and Event Management.

SIEM tool running on system infrastructure, network devices, servers, domain controllers etc. discovers trends by collecting security data from information systems. It stores, makes sense, collects and analyzes this data to detect emerging threats to the infrastructure and enable companies to investigate any warnings. A well-structured SIEM in your system gives the cybersecurity team an active perspective against potential threats.

Another important issue to have a SIEM agent in your company infrastructure is to facilitate legal compliance. Each institution is subject to the laws of the country in which it is located and must comply with these laws. In our country, institutions must comply with the Law on the Protection of Personal Data (KVKK) and are responsible for protecting the information of individuals in accordance with this Law and keeping the data safe and not falling into the hands of third parties. In this context, they have to take some measures. SIEM allows you to define the measures required by this Law through preventive scenarios. By means of codes that can be created through SIEM, articles in compliance with the KVKK are created and your system infrastructure is brought into compliance with the Law. In this way, the prevention of data loss, which is the purpose of the Law, is ensured.

How does SIEM work?

SIEM provides two basic facilities to the incident response team. These;

Reporting about security threats

Show analytics-based alerts that indicate a security issue and when all issues are identified and made meaningful

It is a data collector, search and reporting system based on SIEM. SIEM collects and consolidates large amounts of data from your entire network environment, integrates it into a meaningful whole with analytics, and makes this data accessible to humans. With data categorized and organized at your fingertips, it allows you to investigate data security breaches in as much detail as necessary.

SIEM products have visual tables called dashboards that make it easier to monitor real-time logs. Analysts do their work more easily through panels consisting of the data of the logs. It is difficult to read and make sense of large logs based on time. The SIEM tool also offers a solution with dashboards to overcome this difficulty. The purpose of the dashboard screens created on the SIEM tool is to be aware of a possible cyber attack early or to visually facilitate the detection of an abnormal situation.

What are the SIEM types?

Implementing SIEM as part of an organization's cybersecurity is possible in three ways:

In-house

cloud-based

supervised

On-premises SIEM: In this setup, the company has ultimate control over the SIEM solution. Purchases the necessary hardware and software to implement the on-premises SIEM at its physical facilities. As a common practice, SIEM becomes part of an organization's Security Operations Center (SOC). This way, organizations can customize this on-premises SIEM to meet their security needs and perform updates at will.

There is no third party involvement in this use of SIEM and all security-related information remains within the company. Only the organization itself is responsible for integrating an in-house SIEM installation with existing systems, configuring log sources, customizing alerts, and training employees. On-premises SIEM installations require high investment and maintenance costs. In addition, it is necessary to create an expense item for patches and updates in the process following use.

Cloud-based SIEM (Cloud-based SIEM): The use of cloud-based SIEM setup has gained significant popularity with the global adoption of cloud computing technology. Cloud-based SIEM solutions are used by purchasing a subscription, and the responsibilities for the maintenance of the hardware are minimal for the institutions. Instead of making a large initial investment as in in-house SIEM, monthly or annual subscriptions are installed. It is thought that organizations cannot use the full potential of SIEM solutions in this model. In the use of the in-house SIEM tool, the entire system is made suitable for the infrastructure of the organization. However, because cloud technology is used here, the information is located in places that are not fully owned or controlled by the organization. This makes it easier to be aware of the whole process and to be more effective than the use of in-house SIEM.