← Back to Glossary

What is Security Information Event Management (SIEM)?

by Iwan Price-Evans on Security • April 29, 2022

Security Information Event Management (SIEM) is the term used to describe the processes of security threat detection, analysis, intelligence collection, and security incident management. SIEM can include a wide range of other threat sources or events.

SIEM combines security information management (SIM) and security event management (SEM). SIEM systems support a security team's work in threat detection, compliance, and incident management. 

While SIEM is primarily associated with identifying and managing cybersecurity events in technology systems, it is also applicable to real-world security. SIEM also applies to security information and events relating to physical sites or public infrastructure.

An SIEM system's capabilities are wide-ranging including: 

  • Log event collection and management
  • analysis of this and other data from multiple sources
  • incident management
  • alerting
  • reporting dashboards and many other functions.

How does SIEM work?

An SIEM system centralizes activity and event data from systems, applications, and devices providing visibility and automated mitigation of security events.

Activity is analyzed and categorized by the SIEM such as legitimate or malicious user actions like logins or identification of malware and its activity. In the case of a failed login, the SIEM is able to identify the difference between normal user forgotten password login attempts and a brute-force attack of automated login attempts designed for account takeover.

A comprehensive SIEM system will integrate with other systems, able to receive and analyze its logs and events, and importantly, is able to issue instructions to respond to those events.

The SIEM system will also consume disparate threat data feeds for analysis and response. Artificial Intelligence (AI) is often used by an SIEM system to assist in the analysis of vast amounts of activity data. Using these tools it's able to learn what is legitimate or malicious activity.

Organizations have internal and legal compliance requirements and a SIEM system can provide comprehensive reporting for compliance teams. Custom reporting dashboards can be created for different teams within the organization.

What are the benefits of SIEM?

SIEM systems enable organizations to monitor security events in real-time. This helps the organization to identify threats and vulnerabilities allowing them to protect their systems before an incident occurs.

Artificial intelligence can highlight unusual user or system behavior referred to as User and Entity Behaviour Analytics (UEBA). This enables the automation of complex monitoring tasks. The SIEM system can also respond to this behavior using security orchestration, automation, and response (SOAR).

An important function of an SIEM system is the capability to forensically analyze security events. If a security event occurs such as a data breach, the SIEM system is able to analyze how it occurred and what was compromised. This is vital for a Security Operation Center's (SOC) incident response because of the legal requirements to report data breaches to individuals and data governance bodies.

SIEM systems have developed into highly efficient holistic information and security management tools able to monitor and respond to the ever-changing cybersecurity landscape.