Why SIEM is Irreplaceable in a

Secure IT Environment?
Oskars Podzins Andrejs Romanovs
Dept. of Modelling and Simulation Dept. of Modelling and Simulation
Riga Technical University Riga Technical University
Riga, Latvia Riga, Latvia
[email protected] [email protected]

Abstract—The aim of the publication is to brief on the understanding “Context” is the key. All previously mentioned
importance of a SIEM (Security Information and Event security solutions are great at monitoring activities which goes
Management) solution. Its benefits but also taking time to reflect through these systems, but in most cases to make an educated
on this system drawbacks. All of which is intended for those who decision about what really is happening system needs to know
are looking into cybersecurity solution that will learn from information and activities outside one particular system. This
entire IT infrastructure and be able to identify anomalies, like is where SIEM comes to rescue.
cyberattacks. Depending on the region and market, enterprise
priorities tends to be different, but all mainly take into SIEM is a solution which analyzes events/logs from each
consideration TCO (Total Cost of Ownership), which in SIEM of the security solutions. For example, a traffic flow of a
case is a key metric. If company/organization is serious about specific IP address might not mean a lot to the firewall (if this
deploying a SIEM, then another key security technology they IP has not been listed in global threat exchange databases), but
should think about is SOC. If deployed correctly than SOC a SIEM could combine this flow with the fact that Active
(Security Operations Centre) is a full framework of Directory Domain Controller security logs indicate this IP was
technologies, people and processes to act like a well-oiled
used to brute force a password for several accounts. Using this
machine that identifies, protects, detects, responds and recovers
from all security related incidents.
information SIEM could launch an automated remediation
action of sending an instruction to Firewall trough API to
Keywords—cyber security, network security, security block connections from this specific IP address. Best of all this
management, computer security, SIEM, Log analysis, SOC, and other defensive actions can be automated which gives a
incidents management company 24/7 reactive security solution which learns from
entire IT environment and using context performs high
I. INTRODUCTION probability remediation actions. Using this method is also the
Over the past several years data has become the most best way to detect Zero-day attacks.
valuable resource in the world. This has aided growing interest In most cases attackers must find a way to avoid being
from individual cybercriminals, APTs, Hacktivists and nation- detected by security controls while performing «Intrusion»
state actors to steal, modify, destroy information or even cause phase of a cyberattack. But if a company does not have a
physical damage as it was in case of Stuxnet [1] and Black SIEM solution in place then most likely they won’t be able
energy [2]. detect and stop attacker performing «Lateral movement» or
Verizon - 2018 Data Breach Investigations Report [3] «Privilege escalation» activities at all. Which leads to very
shows that 68% of all identified cyberattacks are discovered long detection time or no detection at all. Monitoring only
month or more after the initial breach. If we take into account entry points or only central servers are not enough anymore.
that there are high percentage of cyberattacks that are Even Starwood hotel and later Marriot (second largest
successful and goes undetected, then final percentage would Hotel chain) was not able to detect breach for 4 years [4].
be much higher. This very well quantifies how secure our data Which shows how difficult sometimes it is to detect and react
is. Taken this information we should strive to improve to cyberattacks.
cyberattack detection capabilities.
This confirms that companies urgently need to deploy and
One of the main issues in identifying cyberattacks is that optimize SIEM solutions. The right way, because most SIEM
IT infrastructure tends to be extremely vast. Typical company solutions are poorly optimized with limited improvements
has hundreds or thousands of interconnected devices, overtime.
hundreds of software fragments which uses countless If a company already has a working SIEM solution with
technologies (most running different versions). All of which security analysts investigating alerts, then organically
is configured and supported by frequently rotating IT staff company already has some form of SOC. If that’s the case,
with different experiences and approaches to fixing problems. then second question is how effective they are in investigating
Combine all of this in one IT environment and in most cases, incidents? How often does SIEM identifies False-Positives?
this will result in almost endless possibilities of How many incidents can one data analyst investigate per day?
vulnerabilities. 5? 15? Chances are that number is between 5-15. Only high
New attack vectors and vulnerabilities are discovered on efficiency SOCs with high automation level will be able to go
an hourly basis. Firewalls, intrusion detection system, beyond 25+ incidents a day. Companies should aim for a
intrusion prevention system, Distributed Denial of Service SIEM that analyzing hundred million log files will identify 2-
protection solutions and other security solutions look for 3 actionable alerts with context. SIEM without any
malicious activity at various points within the IT optimization will identity north of 1000 alerts [5].
infrastructure, from the perimeter to endpoints. However, Considering previously stated amount of investigations
many of these solutions are not effective or even capable of that an average SOC analyst will be able to perform it is clear
detecting zero-day attacks. Because for a SIEM solution that a company with 100 million log files per day will require

978-1-7281-2499-5/19/$31.00 ©2019 IEEE

~ 100 data analysts. However, if deployed correctly with opposite to an analysis of a running program, when the
experienced SOC personnel and analyst the same Log amount analytical process can interfere with time–critical or resource–
could be sufficiently investigated with less than one data critical conditions within the analyzed program [7].
analyst. This shows how critical it is to optimize log sources
that will be analyzed, rules that are optimized for a specific IT There are no Log files that could not be analyzed by a
environment, proper incident response workflow has been SIEM solution. But rather how effective it will be to analyze
developed and SOC personnel is experienced. particular log source. Because not all log sources are relevant
for security incident identification, and others might be
Therefore, simply buying a “Antivirus” or other piece of redundant. Since SIEM software licensing is based on volume
software is not enough anymore. To stay ahead of the attackers of logs analyzed and considering high costs of licensing a
your organizations IT, security and architecture specialists SIEM solution it is beneficial to minimize total logs analyzed.
should think like attackers when it comes to creating a One of the first pitfalls companies make is to add as many logs
comprehensive and layered cybersecurity solution. as possible to “maximize” the possibility of great and efficient
results. But by doing this companies bug down a system of
In authors opinion the best single technology or security running millions of rules in the background which makes the
solution is a SIEM. There are multiple pitfalls, but if system process unwanted “noise”. This results in high number
configured correctly and backed by management this will of False-positives which in turns wastes employee time and
provide best added benefit to the company regarding causes the whole SIEM and SOC to be inefficient. As
cybersecurity. mentioned previously inefficient SIEM will even be not viable
When considering how much annual security budget is and it might not even be possible to investigate all alerts
enough companies should take into consideration what are the identified by the SIEM.
risks to the company. Current research by Accenture security Best practice is to start SIEM solution development with
division states that global cyberattack risk value for all adding only few log sources like, central firewalls, intrusion
companies for 2019-2023 will be 5,2 Trillion USD. With an detection and intrusion prevention systems and Active
average G2000 company spending 2,8% of company’s annual Directory domain controller security event logs. It is not
revenue [6]. This number is just that a statistic, but this recommended to even analyze all logs these systems are
provides at least some guidelines, to which companies should generating. There are more than 370 Security events which
aim for. Of course, total investment in cyber security budget can be monitored by a Windows Server OS. Not all of them
will greatly depend on a business risks, company revenue and are critical. Even Microsoft has classified only 11 security
management outlook on business challenges. event types with criticality ranked as “High” [8]:
This research paper consists of 5 pages, 6 sections • A monitored security event pattern has occurred.
(Introduction, What is a SIEM, What is SOC, Advantages of
SIEM, Disadvantages of SIEM, Conclusions), 2 figures and • A replay attack was detected. May be a harmless false
11 references. positive due to misconfiguration error.

II. RELATED WORK • System audit policy was changed.

Author's professional experience involves performing IT • SID History was added to an account.
audits on some of the largest Latvian private and state-owned
• An attempt to add SID History to an account failed.
companies while providing consultations to several of them.
Currently author is developing cybersecurity services for • An attempt was made to set the Directory Services
Latvian and Export clients for a large Telco company. One of Restore Mode.
the services in development is SIEM/SOC service. He is
seeing a trend in company’s willingness to stay protected • Role separation enabled:
which leads to specific security budgets increases which in • Special groups have been assigned to a new logon.
return dictates company’s readiness against cyberattacks. One
of the authors tasks is to analyze cyberattack vectors and • A security setting was updated on the OCSP
current trends as well as solutions which will protect Responder Service.
customers most effectively where TCO is always the key
• Possible denial-of-service (DoS) attack.
metric.
• The audit log was cleared.
III. WHAT IS SIEM?
Few critical security events are sufficient at the beginning.
SIEM or Security Information and Event Management
After SIEM has been optimized for a specific company then
solution is unique in its approach that it analyzes logs coming
next set of important logs can be added. This incremental
from all IT environment components, like firewalls, IPS/IDS,
approach increases the chance that most False-positive
servers such as MS AD, DB, ERP, WEB, FTP, Proxy, etc. All
sources are fixed, and system will be able to come to better
mayor hardware and Software manufacturer products creates
conclusions on its own.
Log files.
Typical high level SIEM solution architecture is shown in
Current software application often produces (or can be
image below Figure 1.
configured to produce) some auxiliary text files known as log
files. Such files are used during various stages of software Most SIEM solutions has an agent software for Windows
development, mainly for debugging and profiling purposes. machines which handles Event log delivery to SIEM collector
Log files are often the only way how to identify and locate an using some sort of VPN tunnel or other encrypted safe
error in software, because log file analysis is not affected by transport mechanism. For Linux and most other solutions its
any time-based issues known as probe effect. This is an different. You have to configure Syslog or other log type to be
forwarded to specific SIEM collector, but this can be easily triggered. In case anomaly was a legitimate security incident
achieved because most software and hardware has this than appropriate incident response workflow will be launched
functionality. within the SOC or individuals. This part of the cycle falls onto
SOC shoulder.
When incident will be remediated then the cycle will start
back from the beginning.
IV. WHAT IS SOC?
An enterprise SOC functions as a team of skilled people
operating under defined processes and supported by integrated
security intelligence technologies that are typically housed
within one or several on-premise facilities. Operating under
the umbrella of your overall security operations environment,
the enterprise SOC specifically focuses on cyber threat,
monitoring, forensic investigation, incident management and
reporting [9].
SOC in a function in organizations security portfolio. Its
task is to maintain SIEM solution and a suite of other security
products and reporting tools which generates security alerts.
These alerts afterwards will be analyzed by data analysts,
engineers, security experts, penetration testers and other
specialists within the SOC. Typical SOC operates in
24/7/365/mode (in some cases 8/5) as a cyber security incident
Fig. 1. Authors view on a typical SIEM components. response team. They are the police, fire-rescue team and other
emergency services for a company IT environment security.
Once raw log files have been received by a SIEM collector Since work these persons do is critical for the company. The
component then next step is to normalize then and translate same as real emergency services minutes and even seconds
them into single readable form by the system. Onto which could be critical therefore correct and efficient incident
SIEM will test its rules and queries. response workflows and processes are key to a SOC success.
Each SIEM solution will have its own approach how to Common sense dictates that SOC as the name suggests
analyze large amounts of logs, but main method is to test should handle security incidents, however in the real world it
incoming logs against some set of rules and cross check them is a challenge to differentiate alerts between a security,
historically against others. There are situations when a single network or a simple server availability alert. There are
event might not create an alert, but repeated trend will. This is multiple models and suggestions to consolidate SOC with
done by systems internal rules engine. Since one of the biggest NOC (Network Operations Centre). By doing this company is
problems is systems need for continued optimization. Most mandating that NOC and SOC shares information between the
major SIEM developers (Splunk, IBM, LogRhythm, etc.) has two which helps to distribute some of the load and increases
artificial intelligence modules, which are meant to make response and remediation times, therefore overall efficiency.
analysis even more “intelligent” with ability to react to some Proposed model includes Level 1 analysts which are
of the changes in the environment. In authors view this responsible for resolving trivial incidents/alerts. If this alert is
component is still quite far from being “setup-and-forget” out of Level 1 analyst experience, then he will have enough
solution, but effects are getting better and if optimized information to forward it to either NOC if it is a networking
correctly this will improve overall anomaly identification or equipment availability issue or to SOC in case of security
efficiency. incident. Either way comparatively low-cost resource will be
Further all identified anomalies/alerts are ranked and able to filter out most of low-level noise and leave level 2 and
displayed in SIEM dashboard. This is where SIEM product lever 3 analysts on NOC and SOC side to investigate more
developers likes to differentiate from each other. From this complex incidents/alerts. In all times NOC and SOC shares
view system will launch automated notifications to information between personnel. But overall incident analysis
appropriate persons, run automated remediation actions and and final decision is made by collaboration. SLA and KPI
periodically will be used for generating reports for metrics are presented to the board as a single incident response
management and KPI review. effort.
Benefit from the SIEM consciences is a redundant location IBM and Tivoli proposed model can be seen in the
for security logs. Before SIEM systems, companies were Figure 2, [10].
relying on previous log analysis technologies or different log
Because each SOC is as unique as the organization it
storage technologies just to backup log files. But since SIEM
belongs to, it is critical to understand the factors that influence
collects log files in its own database this serves as a redundant
their result. A SOC can include all internal operations,
location for log files. Which might be helpful in a large-scale
processes, technologies and staff, rely heavily on external
hardware failure or physical disasters.
provider managed services, or can be a hybrid of out-tasked
All identified anomalies are later reviewed individually by and internal capabilities. To determine the right balance for an
data analysts. If an anomaly turns out to be a false positive, organization, one must consider cost, skills availability, single
then SIEM architect/content author or anyone else responsible point versus multiple global locations, and the importance of
for rule fine tuning will optimize the specific rule which was around-the-clock coverage and support [9].
 Security event visualization is still rare in most • Information on historical events for forensic purposes.
organizations today. Many security professionals conduct In the same time conserving audit log integrity.
manual log reviews or perform ‘spreadsheet’ analyses, and
There are even more advantages to a SIEM, but these are
for some, implementation of basic SIEM technology is as far
not guaranteed results. All these benefits are a result of SOC
as they go [11].
personnel who is maintaining SIEM solution and optimizing
its rules. SIEM is a perfect case where the following
statement is spot-on: “SIEM is only as good as individuals
configuring it”.
To sum up, SIEM will give ability to identify almost all
activities within the IT environment from a “single pane of
glass”. If only system will be configured to look for all of
these activities and will understand “context” of these files.
VI. DISADVANTAGES OF SIEM
Although principle of SIEM solution is very simple and
straight forward. The sheer number of logs and analysis of
these logs makes this solution complicated and therefore
expensive.
Here are the list of main problems deploying SIEM solution:
Fig. 2. Converged SOC and NOC operations model [10]. • SIEM system is expensive – initial purchase price
including licensing cost which is affected by number
of logs processed/indexed will bet very expensive if
V. ADVANTAGES OF SIEM logs files will not be prioritized.
Properly deployed and optimized centralized log file • Employees to configure and use the system is
processing and analysis by the SIEM solution will give expensive, hard to hire (because of security knowledge
companies the following benefits (but is not limited to): shortage in the market) and even harder to hold them.
• Centralized log storage - in case of primary log source
unavailability, there always will be second log storage • 24/7 SOC will be required which will greatly add to
with high file availability, integrity and confidentiality; the expenses (mostly on salaries).
• Analysis of large amount of log files which will allow • Requires high amount of maintenance to investigate
to detect: alerts and optimize SIEM (fix “False Positives”) will
o Anomaly activities from all systems quickly become overwhelming if not careful.
activities. • SIEM will not give comprehensive intelligence
o Reconnaissance activities. without other security solutions like firewalls,
IPS/IDS, EDR and other security and supp.
o All kinds of cloud platform anomalies.
o DDoS attacks. VII. CONCLUSIONS
o Botnet activities. SIEM solution has great advantages and disadvantages,
but for author the fact stays the same that SIEM solution is
o Intrusion attempts. irreplaceable for companies which have personal or internal
o Post intrusion activities. data that needs to be secured from inside and outside threats.
Total cost of SIEM solution + 24/7 SOC will be substantial,
o Ransomware.
but for those companies looking for total visibility,
o Data theft (data exfiltration) – from both compliance to industry standards and best practices and next
internal and external data theft threats. level of cyber-attack defense capabilities then SIEM is one of
o If someone is trying to modify or access the best investments a company can make, regarding cyber
logs in any way. security. However, if the company has limited resources and
limited staff who are talented and experienced in cyber
o Internal policy misuse. security including SIEM systems than company should
o System misconfiguration. reconsider in in-house SOC and instead look for a MSSP
o System vulnerabilities and exploits as they which will provide better service with much lower TCO.
are being used. Especially considering the risks and challenges of creating an
effective SIEM with SOC.
o System bottlenecks.
At the end of the day company security budget will
• Streamlined compliance reporting for GDPR, PCI- determine if this solution is attainable by the company or not.
DSS, ISO27001, HIPPA and others.
The research was carried out to raise awareness of the
• Increased incident response efficiency. rising cyber security risks as well as to present authors view
• «Big picture» of what is happening in the IT on which solution is best fit to cover cybersecurity needs for
environment at any given moment. identification and with SOC this will allow to investigate
incidents as well as give necessary knowledge to remediate [5] From SIEM to SOC: Crossing the Cybersecurity Chasm, Mike
vulnerabilities and overall risks. Ostrowski, May 2018., United States, RSA Conference 2018
[6] Accenture – Ninth annual cost of cybercrime study, United States,
REFERENCES March 2019. https://www.accenture.com/_acnmedia/PDF-
96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50
[1] The Stuxnet Worm, Paul Mueller and Babak Yadegari, The university
[7] Log File Analysis, Jan Valdman, Czech Republic, July 2001, Technical
of Arizona, United States, 2012,
Report No. DCSE/TR-2001-04
https://www2.cs.arizona.edu/~collberg/Teaching/466-
566/2012/Resources/presentations/topic9-final/report.pdf [8] Appendix L: Events to Monitor, Microsoft official documentation,
United States, July 2018., https://docs.microsoft.com/en-us/windows-
[2] Analysis of the Cyber Attack on the Ukrainian Power Grid, Defense
server/identity/ad-ds/plan/appendix-l--events-to-monitor
Use Case, Robert M. Lee, Michael J. Assante, Tim Conway, United
States, March 2016. https://ics.sans.org/media/E- [9] IBM, Strategy considerations for building a security operations center,
ISAC_SANS_Ukraine_DUC_5.pdf 2013
[3] Verizon - 2018 Data Breach Investigations Report, United States, [10] IBM Software Group IBM Corporation Secure Your Operations
March 2018. through NOC/SOC Integration, David Jenkins, IBM Software Group,
https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_ Germany, 2006, https://docplayer.net/2408670-Secure-your-
execsummary.pdf operations-through-noc-soc-integration.html
[4] Reuters - Marriott 383 Million records data breach, United States, [11] Trustwave, “2013 Global Security Report”, 2013,
March 2019. https://www.reuters.com/article/us-usa-cyber- https://www.infosecurityeurope.com/__novadocuments/49846?v=635
congress/marriott-ceo-apologizes-for-data-breach-unsure-if-china- 315245230570000
responsible-idUSKCN1QO217