SIEM

What is SIEM?

SIEM (Security Information and Event Management) is a technology platform that combines two functions: security information management (SIM) and security event management (SEM). A SIEM system collects logs and events from multiple sources across the organisation - firewalls, servers, operating systems, applications, domain controllers - and correlates them to detect patterns indicative of a threat.

The strength of SIEM lies in correlation. A single event - a failed login, a connection to an unusual IP address, the launch of an unknown process - may not raise suspicion on its own. But a combination of such events within a short timeframe, linked to a single user account, may indicate account compromise and lateral movement by an attacker.

Modern SIEM platforms use machine learning for behavioural anomaly detection (UEBA) and automate part of the response process through integration with SOAR (Security Orchestration, Automation and Response) systems. Popular solutions include Microsoft Sentinel, Splunk, IBM QRadar and Elastic Security.

Why does it matter?

SIEM is the foundation of security operations in any medium to large organisation. Without a central system for collecting and correlating logs, security analysts cannot effectively detect threats in a complex IT environment.

SIEM also provides the evidence needed for incident analysis (forensics), meeting regulatory requirements for log retention and reporting to supervisory authorities. In the context of NIS2 and DORA, the ability to quickly detect and document an incident is mandatory.

Related topics

• SOC
• EDR
• NDR
• Zero trust