In this article, we will discuss;

  • What is a SIEM?
    • SIEM process
    • Traditional SIEM vs Next-Gen SIEM
    • SOAR
    • UEBA

A SIEM is a security solution comprising multiple technologies that work together to collect, store, analyze, and report on data generated by a wide array of log sources in a network. These log sources include network devices (such as firewalls or routers), servers, applications, security appliances (like antivirus software and intrusion detection/prevention systems), and even cloud-based services.
It detects and alerts on security-related activities such as user logins, file access, changes to critical system files, security events generated by log sources and provides centralized visibility into security events across the organization.

A typical SIEM process consist of the following


Log collection > Parsing & normalization > Correlation > Alerting > Storage & archiving


  • Log collection
    Logs are aggregated from multiple log sources including workstations, network devices, servers, applications, security appliances, access control systems and cloud-based services.

  • Parsing and normalization
    These logs come in different log format such as syslog, CEF or LEEF format. Parsing is the task of transforming these different logs format into a unified log format. Normalization takes this process further by mapping specific log fields to standardized data fields within the SIEM, enabling effective correlation and analysis.
    For example, a firewall device sends a log in the syslog format to ArcSight SIEM. The parser would convert the log from syslog to CEF format, while the normalizer would ensure that the remote IP field on the log is mapped to destination IP address field on ArcSight SIEM, similarly host IP field is mapped to source IP address field and so on.

  • Correlation
    Now the logs are all in the same data format, when an event meets specific conditions, it triggers a correlation rule. Correlation rules are written to match specific events or sequences of events by using field references, comparison and match operators on the field contents, and operations on sets of events.
    For instance, a rule might trigger when Event ID 4624 (successful logon) occurs for the account “Guest,” indicating a potential unauthorized access attempt.

  • Alerting
    When a rule is triggered on the SIEM, an alert is generated. This alert is typically routed to various communication channels such as email, Slack, case manager or a ticketing system, where security analysts can triage the incident. Verified threats, or true positives, are escalated to the incident response team for further investigation and remediation.

  • Storage and archiving
    Most SIEM solutions incorporate a log retention component, typically storing log data actively for 30 to 90 days before archiving it for long-term preservation.

Traditional SIEM vs Next-Gen SIEM
While, traditional SIEM solutions primarily focus on log collection, aggregation, correlation, and analysis. They excel at identifying known threats based on predefined rules and signatures.
Next-Gen SIEMs address the limitations of traditional SIEMs by incorporating advanced analytics, machine learning, and threat intelligence capabilities.

The table below shows differences between Trad-SIEM and Next-Gen SIEM.

Traditional SIEM NextGen SIEM
Alert Fatigue: High volumes of alerts, many of which are false positives. User and Entity Behavior Analytics (UEBA): Detecting anomalous user behavior that could indicate insider threats.
Limited Threat Detection: Difficulty in identifying zero-day attacks and advanced threats. Enhanced Threat Detection: Leveraging behavioral analytics, anomaly detection, and machine learning to identify sophisticated threats.
Manual Investigation: Significant analyst time spent investigating alerts. Automated Response: Automating incident response actions based on predefined playbooks.
Data Overload: Struggling to handle the increasing volume and complexity of data. Improved Incident Investigation: Providing rich context and visualizations to accelerate incident response.


Capabilities of Next-Gen SIEM - SOAR, UEBA

SOAR (Security orchestration, automation, and response)
SOAR automates and coordinates security incident response, reducing the workload on security teams. It is beneficial for handling repetitive tasks, allowing analysts to focus on complex threats.

Using prebuilt playbooks SOAR can automatically respond to low-level threats and cuts down the response time to seconds, so attackers have less system access time.

An example of SOAR: Process a suspicious email

  1. A SOAR tool can investigate whether the sender has a bad reputation, via threat intelligence, and use DNS tools to confirm the origin.
  2. The tool can automatically extract hyperlinks and validate them via URL reputation, detonate the links in a secure environment, or run attachments in a sandbox.
  3. Then, if an incident is confirmed, a playbook is run. The playbook looks in the email system to find all messages from the same sender or with the same links or attachments and quarantines them.

User and Entity Behavior Analytics (UEBA)
UEBA solutions build profiles that model standard behavior for users and entities in an IT environment, such as servers, routers and data repositories. This is known as baselining. Using a variety of analytics techniques, UEBA can identify activity that is abnormal compared to the established baselines, discover threats and detect security incidents.

UEBA can detect security incidents that traditional tools do not see, because they do not conform to predefined correlation rules or attack patterns and span multiple organizational systems and data sources.

For example, a UEBA solution identifies an unusual login via Active Directory, cross reference it with the criticality of the device being logged onto, the sensitiveness of the files accessed, and recent unusual network or malware activity which may have enabled a compromise.

Justifying the cost of a Next-Gen SIEM for small and medium-sized businesses can be challenging due to their typically lower traffic volume and less complex IT environments compared to larger enterprises. However, organizations with 1500 or more employees should strongly consider adopting a Next-Gen SIEM to enhance visibility and security within their complex environments.