SIEM (Security Information and Event Management) are solutions that monitor information systems and analyze real-time security events from network devices, information security tools, IT services, system infrastructure, applications and other sources. SIEMs are provided by providers as hardware devices, software or SaaS and are used to collect and process events, send alerts, generate reports and visualize information security violations, helping to detect incidents.

SIEM systems support monitoring security events, detecting threats (including through historical analysis), investigating and responding to incidents, and meeting compliance requirements.

The main functions of SIEM are to collect information about events from a wide variety of sources into a central repository, where it can be processed and stored in various forms (for example, raw, enriched, normalized), analyze this information, warn of potential threats, display reports and provide search in historical data for forensics and threat detection.

SIEM systems are commonly used to: monitor, correlate, and analyze activity across multiple systems and applications; detection of external and internal threats; tracking the actions of users or certain types of users, such as those with privileged access (both internal and third parties), with access to critical data such as intellectual property, or managers; monitoring access to server and database resources; confirmation of compliance with the requirements and the provision of reports on this; provide analytics for incident response, threat detection, and automation of actions and workflows.

SIEM collects and analyzes data about events generated by networks, devices, systems and applications. The primary source of this data is time-series logs, but for incident investigation, other forms of information are also being implemented to provide context on users, IT assets, applications, threats, and vulnerabilities, such as Active Directory, Configuration Management Databases (CMDB), summaries Vulnerability Management, Human Resources Information and Threat Intelligence.

Alternative to SIEM systems

The complexity and cost of buying and operating SIEM, as well as the emergence of new security analytics technologies, are driving user interest in alternative ways to detect and respond to attacks: Event collection and analysis platforms. These products may cover some SIEM functionality and possibly implement other non-security use cases. Platforms for Advanced Threat Detection and Remediation (XDR). They are integrated suites of endpoint, network, and cloud products. Vendors configure them to provide automatic threat detection and response. XDR platforms can provide carefully selected, mostly "automated" detection and response capabilities to those organizations that follow a mono-vendor approach. It is also believed that as XDR technology matures, some vendors such as FireEye, Gurucul, McAfee and Securonix are starting to consider their SIEM solution as part of the XDR offering. Managed detection and response services. The focus here is on investigating, reviewing, and providing recommendations for containment and remediation of incidents, rather than sending orderly alerts to the client. Increasingly, vendors are willing to offer (and customers take) action to contain or interrupt security events. This is usually achieved through endpoints or network management tools. These vendors vary in their ability to monitor the client's security management suite and collect logs for compliance reporting.

Market overview of SIEM systems

Perhaps, at the moment, the development of IBM is the largest representative of foreign SIEM in the Russian market. QRadar SIEM is at the heart of the IBM QRadar Security Intelligence Platform, providing actionable threat intelligence to enable efficient and timely triage and response decisions. IBM QRadar SIEM is designed to automatically analyze and correlate events from disparate data sources, including logs, network traffic, user activity, vulnerability information, and threat intelligence, to identify known and unknown security issues. The product is available for both on-premise and cloud environments.

Benefits of IBM QRadar SIEM:

• provides a visual analysis of local and cloud resources, taking into account the context on the principle of "zero trust"; performs a comprehensive analysis of data about the network, endpoints, resources, users, risks and threats to accurately identify known and unknown threats;
• identifies and tracks related operations throughout the attack chain;
• supports connecting additional threat data sources using STIX / TAXII, integrates with more than 450 solutions, APIs and SDKs; comes in the form of a device, suite, or virtual machine for on-premises or IaaS environments.

by Fortinet is positioned as the next generation SIEM system. FortiSIEM receives and analyzes data from various sources of information, including logs, performance metrics, security alerts, and configuration changes. FortiSIEM supports User and Entity Behavior Analysis (UEBA), which uses machine learning and statistical probability techniques to form a baseline of habitual behavior. The search for anomalous behavior is carried out in real time. Additionally, telemetry data (server and application logs, cloud API logs, endpoint logs, device traffic) is used to create complex profiles of users, terminals, applications and peer groups. FortiSIEM comes in a variety of form factors: hardware platforms, virtual machines, and cloud solutions.

• fast scaling, including by adding new virtual machines;
• support for multi-tenancy, which is very important for security management service providers (MSSPs);
• integration with products of Fortinet and other vendors;
• providing a single dashboard and administration;
• "out of the box" ready-made designed analyzers, dashboards, reporting system are available.

McAfee Enterprise Security Manager

McAfee Enterprise Security Manager (ESM), a SIEM solution from vendor McAfee Enterprise, which recently announced a rebranding under the new Trellix name, provides a high level of responsiveness and speed in decision making and specific responses. The solution gives you the ability to quickly prioritize, analyze, and mitigate identified threats, and simplifies compliance. The system monitors and validates data from a heterogeneous security infrastructure and provides two-way integration with security systems through open protocols. In addition, it allows you to automate a large number of response actions.

McAfee Enterprise Security Manager comes in physical or virtual appliance format. The three main components (ESM, Event Receiver, and Enterprise Log Manager) can be deployed together as a single combined appliance or separately for distributed or large scale environments where both hardware and virtual components can be combined. A number of additional components allow you to significantly expand the functionality of the system - to work with "raw" logs, to use advanced correlation modes (including risks or in retrospective mode), or to work with industrial control systems (ICS) and supervisory control and data collection devices (SCADA).

• preconfigured and easily editable dashboards, audit logs and reports for global regulations and security frameworks;
• a marketplace of additional content built into the system (control panels, notifications, variables, reports, correlation rules and watchlists) designed to implement a wide variety of scenarios and tasks;
• the ability to enrich events with contextual information (information from the directory service, data streams (feeds) of reputation or indicators of compromise / information about threats, as well as information from identity and access management systems);
• collection and comparison of information about suspicious or confirmed threats with event data in near real time or retrospectively.

The comprehensive ArcSight 2021.1 information security management platform includes the SIEM of the same name from Micro Focus. The developer deliberately moved away from the development of individual products, including them in a common platform and promoting it on the market. In this regard, ArcSight 2021.1 has wider functionality than classic SIEM systems. Some modules are supplied free of charge, others require licensing.

• containerized architecture; the incident management module (SOAR) is integrated into the platform, providing two-way communication with other modules;
• the Recon module allows you to build historical selections and reports on logs, showing a noticeable speed advantage over using the classic logger (Logger);
• the platform can be delivered as a cloud service; connectors are provided for communication with cloud resources of Microsoft Azure, Amazon, Google Cloud.