Now that you have a better understanding of what SIEM is because you read part one of our blog series, we can dive into the nitty gritty of how SIEM works.

Every organization needs timely, accurate security events that notify the right people as soon as possible. That’s the purpose of security information and event management, or SIEM. What’s needed is actionable, timely notification of critical alerts, but with millions of events coming in every day, that can be challenging and complex. To simplify this, we use a system called ERIN.

Think of ERIN: Events, Rules, Incidents, Notifications

The E in ERIN stands for events. You need to collect all the raw event logs from all the important devices on your network. This includes the edge-based devices such as your Firewall, IDS or UTM But it also includes routers, wireless access points, and servers, especially Active Directory servers. In other words, meaningful Events! But that is just the beginning. The SIEM will then apply rules to the events that come in and cross-correlate those with threat intelligence feeds, blacklists, configuration information, change tracking, and geolocation data.

The R stands for Rules. There are hundreds and hundreds of rules in the system. Rules count events over time, monitor thresholds, and apply specific criteria to event data to find actionable threats. We customize the ruleset to your network’s specific device types and against an established traffic baseline. We tune these rules continually based on changes to the threat landscape and changes to the environment, as well as apply new rules based on new threats. When rules fire, they create Incidents.

Incidents are rated based on a criticality setting that is also custom tuned for your environment. Based on the criticality, an incident may be simply logged, it may be written to a report to be viewed later, or it may require immediate attention. As you can imagine, some incidents are interesting, which belong on a report. Other incidents require action, which means they should generate an immediate notification. A custom notification policy is then followed to ensure the right person or teams get the information immediately.

Notifications can be made 24x7x365 allowing individuals to remediate issues before they escalate out of control. These notifications can be sent via email or direct API into an organization’s ticketing system. We even include special text called remediation guidance that tells the support team what they can do to fix the issue. The support team gets instant notification of a problem and the information they need to quickly respond and fix it.

It can be difficult to grasp how SIEM works, but it’s a critical technology for organizations looking to maintain a strong security posture. The ERIN process simplifies the complexity of the technology by taking in millions of events, cross-correlating and analyzing the data with a ton of other data, creating prioritized incidents, and generating notifications on actionable incidents that get sent to the proper team immediately.

If you’re looking for assistance SIEM-plifying your cybersecurity stack, BIG’s team of security experts is here to help. You can also learn more about SIEM by visiting our SIEM Managed Services page. Next, we’ll be looking at how SIEM benefits business in part three of our blog series.


Related Resources

Read Part I: What exactly is a SIEM? and Part III: How your business benefits from SIEM of the three part SIEM blog series.