Introduction to SIEM
Security information and event management software (SIEM) products have been an enduring part of enterprise software ever since the category was created back in 2005 by a couple of Gartner analysts. It is an umbrella term that defines a way to manage the deluge of event log data to help monitor an enterprise’s security posture and be an early warning of compromised or misbehaving applications.
SIEM grew out of a culture of log management tools that have been around for decades, reworked to focus on security situations. Modern SIEM products combine both on-premises and cloud log and access data along with using various API queries to help investigate security events and drive automated mitigation and incident response. “Cloud and on-premises are complementary directions here, because the cloud provides for effective scaling as data needs increase, and having an on-premises offering is useful, particular for those enterprises who want to save money by managing the operational aspects of their deployments,” Allie Mellen, an analyst with Forrester, tells CSO.
The focus of SIEM products is to distill this vast quantity of telemetry to provide actionable and hopefully timely security insights. As the number of alerts increases, these products need to weed out the more important events for SOC analysts to focus on. This means careful and meaningful use of automation, orchestration, and various security response techniques. This latter point is why you now find SIEM features being integrated into other security tools. “Given more interdependencies, IT buyers must be aware of how deploying a SIEM solution will impact their existing ecosystem of security products, the costs involved, and the analysts’ experience,” writes Gigaom’s Andrew Green in a 2024 report.
