What does Log Management & SIEM do?
And what is the difference between these two technologies?
Before we go into the benefits of log management and SIEM, we must first clarify how these two technologies are working and how they differ from each other. So what exactly does Log Management & SIEM do?
What is Log Management (LM) and how does it work?
A log management solution collects log data coming from multiple endpoints and provides a central location for it. This central location makes it easier for security analysts to access and analyse logs on demand. A log management system not only stores large amounts of log data, but also allows the internal database to be searched so that the information needed can be found quickly.
Log management systems can be used for a variety of functions, including: collecting, centrally aggregating, storing and preserving, and analysing logs. However, log management also has its pitfalls. Since a lot of data is generated permanently, bottlenecks in the storage of raw data can be a problem.
Log management systems are best defined by the following characteristics:
- Audit procedures that are compliant with current regulations.
- The possibility to create different types of reports, depending on the situation and needs.
- Graphical representations in the form of charts and tables. Practical to get a clear visual indication of issues and present results to senior management in an appropriate format for assessment purposes
- An application to keep track of all the different system and event logs
- Archiving of logs for longer or specified periods of time (retention time)
- The ability to specify when these logs should be deleted from the system or servers to save storage space
And what are logs?
Logs (also called event logs) are detailed, text-based records of everything that happens in a company. Both the present and the past are recorded in logs. Logs can come from all types of software and hardware. These include the following:
- Clients: Desktop, Notebook
- Infrastructure devices: routers, switches, access points
- Security devices: Firewall, Gateway
- Server: Linux, Windows
- Authentication server: Active Directory, LDAP
- Applications: all types of applications
Logs are thus a source of information about a company’s network, application and server systems.
What is a SIEM and how does it work?
The basic idea of a SIEM (Security Information and Event Management) is to collect all data relevant for IT security in a central place and to recognise patterns and trends through analyses that indicate dangerous activities.
Like log management, a SIEM is fed with log data, which is why log management is also included as a component in every SIEM. Some SIEM solutions also use flow data, including network information, to “keep an eye” on the communication between systems.
The collection and interpretation of data is done in real time. The SIEM ensures the normalisation and structuring of all collected data. By correlating the data sets, it is possible, for example, to detect attempted attacks through faulty logon attempts and/or unauthorised access to the firewall.
Based on the insights gained, companies can react quickly and precisely to threats. A SIEM uses machine learning and artificial intelligence (AI) methods to establish connections between seemingly unrelated events that could indicate a security breach.
SIEM systems are best defined by the following characteristics:
- Visibility: Built-in dashboards provide an overview of the network and allow access to historical log data.
- Consolidation: Logs from across the enterprise and contextual information relevant to the logs are collected and stored in one place. Optional: Flow data from network traffic
- Organisation: Collected logs are converted to a uniform format and organised into categories for easy reference and retrieval.
- Correlation: event logs are compared using machine learning, algorithms, rules, statistics and real-time data.
- Alerts: Operators receive email, SMS and SNMP messages when a potential threat is detected.
- Prioritisation: Potential security threats are ranked according to their importance.
- Reporting: Reports based on SIEM logging are automatically generated for compliance purpose
What is correlation?
When we talk about correlation in the context of SIEM, we are referring to the process of matching events (logs and events or flows) from different systems/networks.
The events & flows are combined and compared to identify patterns of behaviour that are invisible to individual systems. Correlation allows you to automate the detection of activities that are undesirable on your network.
Log correlation is the difference between:
“14:10 6/5/2021 User PWhite Successful Auth to
10.100.52.105 from 10.10.8.22”
A user belonging to the sales department logged into an IT system from an office desktop on a weekend.
What are the differences between LM and SIEM?
SIEM systems are primarily security applications, while log management systems are primarily intended for collecting log data (for example, for audits).
A log management system can be used for security purposes, but the high (manual) effort, for example for correlating events, usually does not justify the benefit.
Another important difference is that SIEM, unlike log management, is a fully automated system. SIEM also offers real-time threat analysis, which is not included in Log Management.
Advantages of a SIEM
As with log management, the goal of SIEM is security – and it is only as good as the data it accesses. However, the advantages of a SIEM approach are real-time analysis and the connection of different systems to bring the information together in one console.
There are numerous benefits to be gained by using Security Information and Event Management. These benefits include:
- Fast and reliable detection of threats
- Fast and appropriate reaction to security-relevant events
- Adherence to legal requirements and compliance regulations
- Retrospective verification of security events
- Tamper- and audit-proof storage of all security-relevant events
If you want a tool that helps you collect all your logs in one place, choose Log Management. This may be the case if you need to collect your logs for compliance purposes.
If you want to use logs for security management, choose a SIEM system.