Security operations regularly use security information and event management (SIEM) platforms to monitor and identify potential security threats. Security information and event management (SIEM) is the use of a complex set of tools and technologies to enable organizations a comprehensive view of their IT security system. SIEM is a security solution that helps organizations recognize potential security threats and vulnerabilities before they disrupt business operations. While SIEM is exceptional at compliance reporting and monitoring of events, such as access activity, UEBA is better at spotting insider threats and protecting an organization’s digital assets.

Due to the automated data collection and analysis provided by SIEM, it is a valuable tool for gathering and verifying compliance data on the entire business infrastructure. SIEM works by combining two technologies:

a) Security information management (SIM), which collects data from log files for analysis and reports and

b) security event management (SEM), which conducts real-time system monitoring and establishes correlations between security events.

SIEM consolidates and analyzes the data for nonconformities against behavioral rules set by an organization to identify potential threats.

Data sources include:

• Network devices:Routers, switches, bridges, wireless access points, modems, line drivers, hubs
• Servers:Web, proxy, mail, FTP
• Security devices:IDP/IPS, firewalls, antivirus software, content filter devices, intrusion detection appliances
• Applications:Any software used on any of the above devices

Attributes that may be analyzed include users, event types, IP addresses, memory, processes and more. A deviation causes the system to alert security analysts and/or takes action to suspend the unusual activity depending on parameters as set by administrator.