Alternate format: Using security information and event management solutions to manage cyber security risks - ITSM.80.024 (PDF, 500 KB)
Foreword
This is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre).
For more information, email, or phone our Contact Centre:
email contact@cyber.gc.ca |Mobile 613-949-7048 or 1‑833‑CYBER‑88
Effective date
This publication takes effect on March 31, 2025.
Revision history
- First release: March 31, 2025
Overview
This publication provides large organizations and enterprises with advice and guidance related to security information and event management (SIEM) solutions. SIEM solutions are sets of tools and services that collect, aggregate and analyze volumes of data from multiple sources in real time. SIEMs are an important enterprise security solution to incorporate in a defence-in-depth approach to cyber security and risk management. Defence-in-depth involves using multiple layers to protect information integrity . A SIEM solution gives your organization better insight into vulnerabilities, helps to quickly contain and eliminate cyber security threats, and ensures continuous compliance with regulatory requirements. A SIEM solution can help your organization manage cyber security risks and increase cyber resilience based on your organization’s resources and the sensitivity of your organization’s assets.
This publication will help your organization understand the:
- functionality of SIEM solutions
- importance of SIEM solutions in cyber security
- best practices for using SIEM solutions
Additionally, this publication provides information on cloud-based SIEM solutions and how they fit into a zero trust architecture (ZTA). Cloud-based SIEM technology and ZTA both offer enhanced protection for your infrastructure and data in an ever-changing cyber threat landscape.
1 Introduction
Your organization’s networks are the backbone infrastructure for your information technology (IT) systems, operational technology (OT) and industrial control systems (ICS). Therefore, it is important to secure your network infrastructure to protect your organization from breaches, intrusions and other cyber threats. Network logging and monitoring security events will help you to:
- secure your network infrastructure
- identify indicators of compromise (IoCs)
- take corrective actions in a timely manner
- minimize the impact when a security incident occurs
A SIEM solution consolidates monitoring and logging functions. The term SIEM was first coined by GartnerFootnote 1 in 2005 to describe the combination of the following approaches:
- security information management (SIM), which refers to activities related to collecting data such as log files from multiple sources into a central repository
- security event management (SEM), which refers to activities related to the real-time monitoring and analysis of specific security events that may be red flags
Traditionally, SIEM solutions mostly offered protection for on-premises (on-prem) environments with limited data sources and capabilities. SIEM solutions have evolved, with next-generation (next-gen) SIEMs offering more capabilities to address advanced cyber threats and handle massive volumes of data. Many cloud-based SIEM solutions that can protect assets both on-prem and in the cloud are now available.
2 SIEM capabilities
A SIEM solution is a set of tools and services that collect, aggregate and analyze volumes of data from multiple sources in real time. Some basic SIEM capabilities include:
- aggregating data from many sources, such as users, network devices, applications, endpoints and cloud-deployed infrastructure
- monitoring and analyzing real-time and historical events
- normalizing or reformatting log data into a standard format to facilitate analysis
- correlating security events that have common attributes
- facilitating audit record correlation and analysis (e.g., by correlating events with vulnerability scan results)
- detecting IoCs collected dynamically from threat feeds
- issuing notifications and alerts when real or potential threats are identified
- managing the triaging of alert
- archiving logs to facilitate the correlation of data over time for incident investigation and compliance requirements
- verifying cryptographic integrity and validating logs to determine whether they have been tampered with
2.1 Next-gen solutions
Next-gen SIEM solutions incorporate the following technologies to detect complex threats and lateral movement, and to automate incident responses:
2.1.1 User and entity behaviour analytics
User and entity behaviour analytics (UEBA) use algorithms and machine learning to detect anomalous patterns of behaviour of users and devices (e.g., routers, servers and endpoints) on the network. UEBA allow your organization to identify a wider range of cyber threats, such as brute-force attacks, distributed denial-of-service (DDoS ) and insider threats.
2.1.2 Security orchestration and automation response
Security orchestration and automation response (SOAR) helps coordinate and automate the responses to identified threats using automated playbooks or workflows. It also uses artificial intelligence (AI) to learn behaviour patterns to predict similar threats before they occur.
3 Benefits of SIEM solutions
A SIEM solution can help manage your organization’s cyber security risks by supporting threat detection , compliance and security incident management activities. SIEM solutions allow your security team to:
- manage the continuous supply of log data from many disparate sources
- helps reduce the cost of individual tools used by different groups within your organization
- centralizes log data into a single repository
- correlate and analyze large volumes of data to allow you to proactively identify potential threats as they leave traces across disparate log sources
- automate security tasks to reduce security analysts’ workloads by automating repetitive tasks
- receive automated alerts and response actions via an automated trigger based on specific use cases to facilitate quick incident response
- obtain organization-wide real-time data to help your organization quickly identify and eliminate vulnerability blind spots across your network
- search historical log data for different network nodes and time periods to support root-cause analyses to discover incidents after a breach has occurred
- generate reports for auditors to demonstrate compliance with regulatory requirements and detect potential violations early so they can be addressed
- view management dashboards that display event data in informational charts to see patterns of unusual activities
- helps your organization prioritize resources to address the most critical threats first.
SIEM solutions allow your organization to automate the implementation, assessment and continuous monitoring of security controls. According to the National Institute of Technology Standards (NIST) special publication (SP) 800-137, SIEM technologies can help organizations to automate many specific security controls. These technical, operational and management security controls are as described in the Cyber Centre’s IT Security Risk Management: A Lifecycle Approach (ITSG-33).
- Technical security controls
- Operational security controls
- Management security controls
4 Cloud-based SIEM solutions
In the realm of cyber security, the shift to cloud-based SIEM solutions is reshaping how organizations manage and interact with their data. In a 2023 report from Gartner, it was estimated that 90% of SIEM solutions would offer capabilities delivered exclusively in the cloud by the end of the year. Unlike traditional on-prem SIEM solutions that require dedicated hardware and software within an organization’s own infrastructure, a cloud-based SIEM solution is hosted on servers maintained by a third-party cloud service provider (CSP).
Cloud-based SIEM solutions allow your organization to offload most of the infrastructure management to the CSP and focus on using your system to meet your security objectives. In practice, this means that the data logs from your organization’s network devices and systems are collected, transferred to the cloud, and securely stored on the CSP’s servers.
Your organization can then engage with your data through a web-based interface or an application programming interface (API) provided by the CSP. This API typically includes a suite of tools for data analysis, visualization and reporting. This allows your organization to perform sophisticated analytics to detect, investigate and respond to security incidents.
Cloud-based SIEM solutions often come equipped with machine learning and AI capabilities to better detect anomalies and potential threats. This happens in real time and at scale, providing organizations with a powerful, flexible and efficient tool for managing their cyber security posture.
4.1 Types of cloud offerings
There are two types of offerings for cloud-based SIEM solutions: managed and unmanaged
4.1.1 Managed
This is closer to a “SIEM-as-a-service” model, where the SIEM solution vendor is accountable for the cloud infrastructure and its maintenance. The SIEM solution vendor also provides the customer with real-time incident monitoring and threat detection services. The customer usually has less control over the SIEM solution’s lifecycle management since this is the vendor’s responsibility. Although managed solutions can be more expensive, they relieve the customer of the burden of implementing and maintaining the SIEM solution.
4.1.2 Unmanaged
The customer is responsible for creating, maintaining, troubleshooting and managing the lifecycle of all the SIEM solution’s components. A third party may provide additional assistance, but the customer is generally responsible for the SIEM solution’s availability and stability. Unmanaged solutions may be suitable options for organizations with highly sensitive assets that need full control over their SIEM solution.
4.2 Benefits of cloud-based SIEM solutions
Cloud-based SIEM solutions can provide several benefits to your organization.
4.2.1 Scalability and flexibility
As your organization grows or experiences demand fluctuations, cloud-based solutions can adapt to meet your needs. This scalability also means that you only pay for what you use, which could be a cost-effective choice for many businesses.
4.2.2 Reduced operational overhead
With an on-prem SIEM solution, your organization is responsible for the upkeep of the hardware and software, which can be resource intensive. Cloud-based SIEM solutions shift much of this responsibility to the CSP. This allows your security team to focus on strategic tasks rather than maintenance.
4.2.3 Analytics
Cloud-based SIEM solutions often include commercial off-the-shelf (COTS) analytics specific to the CSP. These analytics are designed to work optimally within the provider’s infrastructure, potentially offering superior threat detection and data analysis capabilities. Having these analytics can enhance your organization’s cyber defence capabilities by harnessing the provider’s specialized knowledge and resources.
4.3 Drawbacks of cloud-based SIEM solutions
Although cloud-based SIEM solutions can offer many benefits to your organization, you should be aware of the potential drawbacks.
4.3.1 Data privacy concerns
When you use a cloud-based SIEM solution, your data resides on the CSP’s servers. Before moving to a cloud-based solution, ensure you fully understand and are comfortable with your provider’s data handling and storage practices.
4.3.2 Vendor lock-in
Moving to a cloud-based SIEM can lead to vendor lock-in, which is when it is difficult or expensive to switch to another provider or to revert to an on-prem solution. Many cloud services are the CSP’s property, which can make migrating data challenging. Before choosing a cloud-based SIEM solution, ensure you understand the terms of service, including what switching providers would entail.
4.3.3 Cost
Cloud-based SIEM solutions can provide cost savings, especially in terms of maintenance and infrastructure, but they can also increase costs. This is particularly true if your organization’s data usage is high since many CSPs charge based on the amount of data processed.
5 Best practices for implementing a SIEM solution
Secure deployment and operation of SIEM solutions is vital. SIEM solutions should be considered a system of higher value, like administrative control or access control systems. Due to its role in monitoring and detecting security incidents, extra care should be taken to ensure the assurance of both the product and vendor. In the event of a zero-day vulnerability , and due to the sensitivity of the data and the level of access of the SIEM solution, it is the view of the Cyber Centre to design your SIEM architecture based on multiple vendor solutions rather than being locked into a single vendor. This approach enhances the overall security posture by mitigating risks associated with vendor-specific vulnerabilities.
An improperly implemented SIEM solution can produce a higher number of false positives, detect more “abnormal” events and generate additional, unhelpful alerts. This can put a strain on your cyber security team’s resources. By implementing the following best practices, your organization can best benefit from your SIEM solution.
5.1 General best practices
- Define use cases for monitoring, alerting and auditing
- From those use cases, identify log sources to be ingested and analyzed
- Consider conducting a proof of concept (POC) to assess if the SIEM solution is suitable for your environment
- Set up the POC in a test environment that is based on well-defined user scenarios and is a representative subset of your infrastructure and data
- Identify your most critical resources, such as data and devices, and set up the SIEM solution to monitor them
- Configure appropriate log source monitoring and alerts to ensure you are notified of log collection problems
- Assess how much data you want to collect to get a comprehensive view of your network
- At a minimum, you should collect log data on:
- authorization transactions (successful and failed attempts)
- modifications to user privileges, including changes to user accounts (including creation and deletion), modifications to group memberships and authentication mechanisms (passwords and multi-factor configuration), and the addition or removal of privileged access
- application errors
- opt-in processes, such as terms and conditions
- actions performed by all users with administrative privileges
- registration of new devices to infrastructure, including any “bring your own devices” mobile phones and personal devices
- Prevent your SIEM solution from collecting sensitive data such as:
- financial information (e.g., bank records or credit card data)
- personally identifiable information (e.g., government-issued identification number)
- passwords and encryption keys
- Understand your business compliance requirements and configure the SIEM solution accordingly.
- Conduct regular reviews and test your SIEM solution to ensure that it has been properly configured based on the security controls and policies implemented
- Establish an incident response plan so that your organization is prepared to properly handle the event when a security incident occurs
- Consult our publication Developing your incident response plan (ITSAP.40.003) for more information
- Synchronize all network devices to a central time server to ensure that recorded audit logs use the same time source
- Set up a minimum of 3 time servers to facilitate maintenance and troubleshooting issues
- Subscribe to external threat feeds and create alerts based on the data shared regularly update detection logic to identify new threats
- The Cyber Centre provides IoCs to organizations, including partners in Canadian critical infrastructure, through an automated system called AVENTAIL, which can be integrated directly into your SIEM
5.2 Quality log data
To ensure that your organization gets the most useful insights into the activities within your network, make sure that high-quality log data is fed into your SIEM tool.
5.2.1 Choose appropriate log collection methods
SIEM solutions can collect and store security logs from multiple sources. Determine which log collection method is appropriate for your organization’s needs.
- Log stream: Devices generate logs and send them via a continuous stream to the SIEM solution’s log collector. This provides the SIEM solution with live information.
- Log push: A device gathers logs autonomously and pushes (uploads) the logs, either continuously or at regular intervals, to the SIEM solution’s log collector. The log collector is configured to accept the logs in a specified format and protocol (syslog, FTP, etc.)
- Log pull: Like a log push, this method uses the SIEM solution’s log collector to initiate the connection and request logs. This method is often used to gather operating system–level logs by using a software agent.
5.2.2 Review and update log dissectors
Different systems generate logs in different formats. Some log formats have a well-defined structure and are easy for a SIEM solution to ingest, while other log formats are less consistent and more challenging for a SIEM solution to dissect and ingest. Ensure the SIEM solution you select can understand the logs it will receive.
Log formats can also change over time (e.g., after software updates), which can result in the SIEM being unable to dissect and index logs from a particular source. Review the log dissectors regularly and update them as needed.
5.2.3 Manage log storage appropriately
Log data received by the SIEM solution is stored according to the configured retention policies. Logs can be sent to storage for archiving or can be sent to the SIEM solution’s correlation engine, where they will be analyzed and correlated against other logs. This correlation can provide meaningful information for your IT team.
Depending on which SIEM solution you choose, logs can be stored either as they were received or in a compressed format. Since searching compressed logs takes more time, some SIEM solutions retain recent logs in an uncompressed format. After a predefined amount of time, the logs are compressed to reduce storage usage.
SIEM solutions can receive thousands of logs every second, so keeping uncompressed logs for an extended period can result in high storage costs. If the SIEM solution stores logs in the cloud, storage costs could also increase significantly.
Removing logs after they are no longer of value will help with both storage costs and performance. Logs that exceed the retention policy can be discarded or stored in lower-cost solutions.
5.2.3.1 Log data retention
Log retention policies can help keep storage needs under control. When developing your organization’s log retention policy, carefully consider how long to retain security logs. As a general guideline, we recommend retaining your organization’s important logs for at least 6 months. For more critical logs, consider a retention period of 13 months.
Your retention period will depend on your:
- organization’s industry standards
- regulations and laws
- specific cyber security concerns unique to your business environment
- storage costs and availability
Many compromises are discovered long after the breach occurred. According to IBM’s publication Cost of a Data Breach Report 2023, the mean time to identify a breach was 204 days. If your organization experiences a breach, your logs are crucial evidence that will help you identify and investigate the incident. Take care in developing your log retention policy and periodically review it to see if adjustments are necessary and whether your logs are being retained for the appropriate amount of time.
5.2.4 Activate indexing of most-searched fields
Logs from different source types contain different information and use different formats. SIEM solutions use log dissectors to understand log formats and the information that logs contain. This can include the log itself, date and time information, and the location of the username or machine name in the log stream. These fields can be indexed, which will result in faster search results.
Indexing logs makes searching faster, but requires additional storage and central processing unit (CPU) resources, which can affect the performance of the SIEM solution. We recommend only indexing fields that are searched often.
The SIEM solution should be able to provide information on searches, including which fields are searched and if those fields are indexed. Using this information, the SIEM administrator can activate or deactivate indexing based on how often the fields are searched.
5.2.5 Normalize log data
Normalizing logs is important for correlating events and investigating incidents. A SIEM solution may ingest logs in different formats. For example, your network might have devices in different time zones, some logs may use the 12-hour format while others use the 24-hour format, or your active directory (AD) logs may contain usernames while cloud logs show a person’s email address as their username.
The SIEM solution should be able to normalize as many fields as possible to limit the number of search strings pointing to the same user or resource. During an incident investigation, searching for events that occurred within a particular period should return logs from all devices, regardless of the time zone to which the SIEM solution has been configured.
5.2.6 Adjust correlation rules and thresholds
Event correlation refers to analyzing events against business contexts and drawing connections between them based on a set of predefined rules. These rules allow your SIEM solution to determine which suspicious activities should be treated as potential security threats. To accurately detect incidents, the SIEM solution’s correlation engine must be configured properly. Adjust the correlation rules and set thresholds based on your organization’s specific use cases or business needs. You can start with the SIEM solution’s default configuration rules and deactivate and activate parameters according to what you want correlated.
6 Zero trust architecture
The term “zero trust” (ZT) represents a security framework for protecting infrastructure and data. ZT’s central tenet is that no subject (application, user or device) in an information system is trusted by default. Trust must be assessed and verified every time a subject requests access to a new resource. The degree of access provided is dynamically adjusted based on the level of trust established with the subject. ZT involves adopting a new security mindset by always assuming a breach and focusing on protecting resources (e.g., services and data). A zero trust architecture (ZTA) is an enterprise approach to designing systems in which security is based on ZT principles. To learn more about ZTA, refer to our publication A zero trust approach to security architecture (ITSM.10.088).
NIST SP 1800-35B Implementing a Zero Trust Architecture describes example solutions for implementing ZTA. The solutions assume that SIEM technology is one of an organization’s baseline cyber security functions to gradually add capabilities as it evolves toward a ZTA. SIEM solutions support ZTA implementation since the data they collect could feed into the ZTA policy engine to help with dynamic access decisions.
7 Summary
Large organizations and enterprises are facing an ever-evolving cyber threat landscape. To mitigate attacks by advanced threat actors, your organization should invest in security tools that provide real-time insights about activities in your network. Cyber security tools like SIEM solutions can provide you with a single interface to get these insights. A SIEM solution can help your organization to detect, analyze and respond to cyber security threats before they disrupt your business operations. As with any significant IT decision, you should weigh all the information presented in this publication against your organization’s specific needs and circumstances to determine if a SIEM solution is the best fit for you.