See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/349807309

Security Information and Event Management (SIEM)

Chapter · March 2021

DOI: 10.1007/978-3-642-27739-9_1681-1

CITATIONS READS

4 5,377

1 author:

Manfred Vielberth
Universität Regensburg
21 PUBLICATIONS 207 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

DINGfest View project

All content following this page was uploaded by Manfred Vielberth on 05 March 2021.

The user has requested enhancement of the downloaded file.

S
Security Information and Event
Management (SIEM)
Manfred Vielberth
Chair of Information Systems, University of
Regensburg, Regensburg, Germany
Synonyms
Security Analytics; SIEM system
Definition
Security Information and Event Management
is responsible for collecting security-relevant
data in a centralized manner to detect threats or
incidents. Thereby, it provided security analytics
capabilities in real time or historically on past
events by correlating multiple log events. Further
functionalities are enrichment with context data,
normalization of heterogeneous data sources,
reporting, alerting, and automatic incident
response capabilities. To enable the exchange
of threat information, it provides a connection
to cyber threat intelligence exchange platforms,
and human security analysts are involved by
offering visual security analytics capabilities.
Additionally, SIEM provides log management
capabilities by long-term storage of event data.
© Springer Science+Business Media LLC 2021
S. Jajodia et al. (eds.), Encyclopedia of Cryptography, Security and Privacy,
https://doi.org/10.1007/978-3-642-27739-9_1681-1
Background
To protect organizations against security threats,
a large inventory of security software is in
operation, which usually has been grown
historically. Furthermore, trends such as Industry
4.0 and the Internet of Things transform today’s
IT-landscapes into a complex and mazy structure
with a growing number of attack points. This
makes it hard to get a holistic picture of corporate
IT security. Additionally, complex attacks such
as advanced persistent threats (APT) are hard
to detect with isolated security software due to
their distributed nature with multiple points of
attack. For increasing the overall information
security awareness, SIEM systems provide a
centralized view on corporate IT security. SIEM
was first mentioned in a report of Gartner Inc.
(Williams and Nicolett 2005) and is composed of
the two terms Security Information Management
(SIM) and Security Event Management (SEM).
While SIM deals with collecting historic
security-relevant data and generating reports
for compliance purposes, SEM provides real-
time analyses of security incidents and incident
response capabilities. Thereby, SIEM combines
the capabilities of both, SIM and SEM in one
single centralized system. However, SIEM is not
an isolated piece of software but is usually closely
connected to the Security Operations Center. The
Security Operations Center is an organizational
unit that aims to enhance an organization’s
2 Security Information and Event Management (SIEM)
overall security posture by joining processes,
technologies, and people.
Theory and Applications
According to previous research (Vielberth and
Pernul 2018), SIEM provides the following capa-
bilities.
Collection: Various techniques for data collec-
tion exist. It can either be pulled from the
data source or pushed by the data-generating
system (Muniz et al. 2015). Furthermore, one
can distinguish between a centralized (Wang
and Zhu 2017) and a distributed collection
topology (Gad et al. 2015).
Normalization: Normalization facilitates or
enables the subsequent processing of the
data. Thereby, the heterogeneous raw data is
translated into a uniform format. Additionally,
time synchronization is of great importance
here (Muniz et al. 2015).
Enrichment: Context data plays a vital role in
the detection of attacks. Therefore, the previ-
ously collected log data is enriched with con-
text data from various sources. An enrichment
with Cyber Threat Intelligence is possible as
well.
Correlation and Analysis: According to Brače-
vac et al. (2018), correlation aims to deduce
the state of the environment (in the context
of SIEM about the state of the organizations’
security) with the help of observed events
from multiple sources. Thereby, attacks or in
general incidents can be detected either auto-
matically or by human experts.
Alerting and Response: In the event of a
detected incident, all relevant stakeholders
must be informed. Furthermore, appropriate
measures must be taken either automatically
or manually to protect the organization from
further damage.
Reporting and Threat Exchange: The purpose
of reporting is twofold. First, reporting secu-
rity incidents can be motivated by compliance
obligations. For example, the EU (European
Parliament 2016) and the USA (Congress of
the United States of America 2014) have laws
that require the reporting of occurred secu-
rity incidents in specific cases. Second, most
SIEMs on the market can be connected to
Threat Exchange platforms, where incidents
can be reported and shared with other organi-
zations for mutual benefits.
Additional supporting functions include log
data storage (historical data and data for real-time
analysis) and monitoring.
Open Problems and Future Directions
In the future, SIEM will provide additional
automatic reaction capabilities. Trends such as
Security Orchestration Automation and Response
(SOAR) will have a significant impact on
SIEM systems. Therefore, capabilities have
to be implemented, which enable the reaction
to security incidents or threats in real time
without the need for human interaction. This
poses a major challenge, as overly restrictive
reactions can have far-reaching consequences for
companies’ day-to-day business. In this regard,
the integration of cyber threat intelligence from
exchange platforms or other external sources is
essential. In this way, the exact course of attacks
can be known at the time of its occurrence or
even before.
Although most SIEM vendors promise exten-
sive machine learning and artificial intelligence
capabilities, the detection of attacks is still mainly
based on a static rule or pattern detection. How-
ever, the application of AI within SIEM provides
very promising approaches and might mitigate
the future need for security personnel.
This leads to another problem that must be
solved in the future: The excessive demand
for security experts since SIEM systems will
never reach a maturity level needed for replacing
experts (Bhatt et al. 2014). As mentioned, this
could be mitigated by the use of AI. Another
approach could be to improve the integration
of people, making their work more efficient
and reducing the amount of security domain
knowledge needed.
Security Information and Event Management (SIEM)
Cross-References
 Cyber Threat Intelligence
 Security Operations Center
References
Bračevac O, Amin N, Salvaneschi G, Erdweg S, Eugster P,
Mezini M (2018) Versatile event correlation with alge-
braic effects. Proc ACM Program Lang 2(ICFP):1–31
Bhatt S, Manadhata P, Zomlot L (2014) The operational
role of security information and event management
systems. IEEE Secur Priv 12(5):35–41
Congress of the United States of America (2014) National
Cybersecurity and Critical Infrastructure Protection
Act of 2014
European Parliament (2016) Directive (EU) 2016/1148 of
the European Parliament and of the Council
View publication stats
3
Gad R, Kappes M, Medina-Bulo I (2015) Monitoring
traffic in computer networks with dynamic distributed
remote packet capturing. In: 2015 IEEE international
conference on communications (ICC). IEEE, London,
pp 5759–5764
Muniz J, McIntyre G, AlFardan N (2015) Security opera-
tions center. Building, operating, and maintaining your
SOC. Cisco Press, Indianapolis
Vielberth M, Pernul G (2018) A security information and
event management pattern. In: 12th Latin American
Conference on Pattern Languages of Programs (Sug-
arLoafPLoP 2018), The Hillside Group, pp 1–12
Wang Z, Zhu Y (2017) A centralized HIDS framework for
private cloud. In: 2017 18th IEEE/ACIS international
conference on software engineering, artificial intelli-
gence, networking and parallel/distributed computing
(SNPD). IEEE, Kanazawa, pp 115–120
Williams A, Nicolett M (2005) Improve IT security with
vulnerability management. Gartner – technical report
(ID: G00127481)