Friday, October 16, 2020


A critical component of securing an enterprise is a tool to concatenate and correlate the data from events across security logs and tools. This grew from what we used to call "Log Aggregation, Correlation, and Normalization". As the volume of data coming through these systems became unmanageable, the evolution of the tools started alerting on event types. 

 The newer tools are classified as either a SEIM or SIEM. While both acronyms identify a tool's basic functionality, I offer up an opinion that there are subtitle nuances to the tools with which places them in one of the other categories. While used almost interchangeably, when we look at the acronyms separately we see that they have a focus that fits differing objectives

• SEIM stands for Security Event and Incident Management, while 
• SIEM stands for Security Information and Event Management 

While both tools would do the basics of a SIEM and gather security information from the various tools and logs necessary to have a holistic look at events across the security landscape, I believe a tool that falls into the SEIM category would have greater functionality in not only identifying events but include a workflow engine and evidence handling capacity to facilitate incident management across the enterprise. 

One point that often gets overlooked by technologists is that responding to Incidents across the enterprise includes many steps taken outside of IT that also need to be captured, recorded, and forensically held in a defensible chain of custody. This workflow may be managed by non-IT or IT Security personnel. 

This cross-organizational workflow is a piece that is evolving at best and has brought the rise of Security Orchestration And Response (SOAR) platforms. Most SEIM vendors are focused on User and Entity Behavior Analytics (UEBA) which includes machine learning of baseline activities and alerts on anomalous behaviors. This automation, while useful and expands the potential to capture more activities that may be suspect, it does not help the "defensibility" of responding to an incident beyond the technical realm. (more on UEBA in another post). As a consumer, I would want my SEIM to include a SOAR functionality or at the minimum an integration into my enterprise workflow management platform. There are so many disconnected choices out there (from SOAR at the Firewall, Standalone products, or some limited functionality in some SEIM solutions) 

I have found there are two types of SEIM vendors - Mature Security tools that are trying to incorporate UEBA; and Mature UEBA tools trying to snap on SEIM functionality. Both of which have their challenges. It really comes down to the applicability of the functionality in your particular use case. If your SOC team has the ability to "swivel chair" for event and incident management logging and tracking then the more mature UEBA tool, which may have some limitations in SEIM and SOAR functionality, may be acceptable.

No comments:

Post a Comment