Journey of Security Incident & Event Management (SIEM)

Most of the organizations encounter information security challenges such as external targeted attacks and internal leaks, despite using various information security approaches and tools. IT is rapidly evolving, in keeping with the threat landscape; but new approaches and tools bring new vulnerabilities. Hackers are becoming smarter and faster. Preservation of confidentiality, integrity and availability (CIA) triad is not enough to address these challenges, especially when information security incidents occur (i.e., the CIA triad was violated fully or partially). Because the security professionals are not reviewing the logs on time and there is no common format or standardization followed while reviewing the logs, this is becoming more complicated. Some data sources log more extensive than others. 
Nowadays the organizations are moving to cyber security background (identify, protect, detect, respond and Recovery).  Security Incident & Event Management (SIEM) supports SOC operations to identify the real-time security incident & log management and tracking the user suspicious behavior activities from internal to external or external to internal traffic.

Going Beyond the SIEM

Security incidents have happened, happening and will be happening. How are we going to control it?  By having strong protective and detective controls. If SIEM is implemented do you think your organization more secure? Yes, SIEM is a technology solution that focused on real-time or near real-time monitoring, correlation & processing of security events and also the combination of two technologies Information security and event management. These events are typically alerts generated by the network device such as Switches, Routers, firewall, IDS, IPS and focused on the historical analysis of log file information to support a forensic investigation.
SIEM system combines the capabilities of each of these technologies into the single solution. Even though SIEM solutions increases the scope of the devices and user misbehavior activities which may bring more visibility of enterprise log management system.

Data collection

Raw log data are received from different devices such as firewalls, routers, switches, proxy servers, Intrusion detection and prevention systems etc. While some of these devices may share similar logging and alert function, there is significant variation in the format and information provided. 


Intercepting the required information from the raw logs is called as parsing. The Component or function which does this process is called as Parser. 

Data Normalization

SIEM classifies or categorizes events into related types and sub-types which are defined as event normalization. Example we have received the Windows login Event and Linux SSH login Event.  SIEM normalizes both events as an authentication type of event. 

Data aggregation

Aggregation is the process of bundling the identical events into the single summary record.  This consolidated event should still provide a Security analyst with the necessary information to investigate the event activity effectively.
(Click on above image for full view)

Event correlation

Event correlation is the process in which a SIEM relates a series of events based upon a logical relationship to generate an incident or more meaningful event. It is the function of linking multiple security events or alerts, typically within a given time window and across multiple systems, to identify anomalous activity that would not be evident from any singular event. 


Alerting is the functionality that enables SIEM systems to establish alerts based on both pre-established and custom alert triggers. All solutions will at least alert to the SIEM console, but some may offer extended alerting capabilities 

Log Management

SIEM organizes, Archives and purges the log data based on the time period. Any logs older than 18 months are usually moved to Tape backup.


The reporting function is often the central focus of the compliance use case. It is critical for the SIEM solution to make the processes of defining, generating and exporting reports as versatile and user-friendly as possible.


Forensics is supported by the event correlation and normalization processes. The ability to search log for indicators of malicious or otherwise anomalous activities is the forensic function of the SIEM.

SIEM Basic Architecture (McAfee ESM)

(Click on above image for full view)

SIEM Policy Establishment

SIEM policy has to be aligned with the below three categories. The purpose of categorization is to help to maturity of SIEM monitoring and operational progress.


People are the valuable asset in the organization. They should have appropriate functional skill about the SIEM Implementation and know how it works. SOC Manager and CISO needs the assurance that employees have good knowledge on SIEM tool monitoring & Investigation knowledge and they should understand the roles and responsibilities & escalation matrix throughout the SIEM (SOC) operation life cycle.
SOC Manager responsible for defining effective security procedure including staffing, training & Awareness program conducted for the (Security Operation Center) team members and he ensure the regular periodic training pertaining to policy, risk, and the SIEM technology provided to the team. 


The process is like a Human evolution as in the diagram. Defining the process regulates the Scope and policies in understanding the value of SOC operations. SIEM process has been defined based on the customer day-to-day operations and treated in simple guidelines, directions, and steps for managing and implementing the SIEM infrastructure.
The following business process document should be placed and ensure the process document has aligned with the organization enterprises policy and standards. 
  • SIEM SOP (To understand the Scope, tools Architecture, Known error database, Rule creation, deletion, password reset/unlock and roles and responsibilities for tier 1, Tier 2 , Tier 3 and SOC Manager)
  • Security incident response and reporting procedure.
  • Escalation Matrix & Shift roster.
  • ITIL Process document (Incident, change, configuration management).
  • Process for Data collection, logging, correlation and reporting.
  • Weekly, Monthly, Quarterly Dashboard report based on the customer’s requirement.
  • Rule Investigation documents etc.


Management’s investment on SIEM is to reach their business objective and goals, At the same time they do expect to get the best possible returns on investment. 
The following checklist will support to ensure right technology is placed for effective SIEM monitoring.
  • Security incident and Event trend which is related to access, Vulnerability, malware and device integration status
  • Backup and recovery Plan
  • Established malware analysis process which prioritizes analysis based on asset criticality, Vulnerability, and attacker campaigns
  • Location of sensitive data is readily available 
  • Have integrated platforms for detection, Investigation, management & response  
  • SIEM Network and Architecture diagram. 
  • Vulnerability, Patching and hardening procedure in place for SIEM environment.
  • Knowledgebase of threats tools, techniques, and tactics
  • Centralized Management dashboard used to coordinate incident investigation, highlights big risk items, current Open issue, and Overall health check
  • Service management reporting, including volumes and SLA performance.
  • Business continuity and disaster recovery plan


SIEM security solution includes maximum security monitoring against malicious and others security threats. It is integrated into an organization’s process and mature day by day. SIEM can provide significant value to SOC as long as proper planning, process & technology exists.
Authored By Raja Kannan
Enterprise Security & Risk Management
Rate this article: 
Average: 4.4 (18 votes)
Article category: