SIEM vs. Log Management

There is no shortage of statistics out there regarding the state of today’s cybersecurity landscape. According to Cybersecurity Ventures, the varied expenses associated with cybercrime cost companies around the world a staggering $6 trillion per year. Ransomware attacks increased by 350% in 2018, and 90% of all ransomware attacks stem from email phishing scams. What’s the most important takeaway from alarming statistics like these? Bad actors are rapidly increasing their numbers and they’re getting smarter. Luckily, managed services providers (MSPs) are getting smarter too.

Protective measures like Kerberos authentication, comprehensive endpoint management, and encryption only scratch the surface of what MSPs do to protect their customers’ networks from cybersecurity threats. There are an infinite number of ways MSPs can continue to use data analysis to better protect their customers.

For instance, all MSPs should have a SIEM or log management system in place for their customers. What’s the difference between the two? How do you decide which approach to log analysis is best for the organization you’re managing? This article breaks down everything you need to know about the difference between SIEM and log management, and explains how each approach can have a positive impact on your customers’ security.

The Importance of Security Log Analysis

To truly understand the difference between SIEM and log management, you have to understand the one major thing they have in common—logs. Logs, also known as “event logs,” “audit records,” or “audit travels,” are detailed, text-based records about everything that goes on in an operating system—past and present.

Logs are an invaluable source of intel about network, application, and server performance. MSPs can also use log data to establish baselines for user activity, which is crucial considering a lot of user activity can be misconstrued as a hacking attempt. If the log data shows there’s an employee on the network who routinely forgets their password on the first login attempt, the IT security team can access that historical data and find that there might not be cause for alarm when they see that happening.

A network constantly gathers logs from all kinds of data sources, so it is up to MSPs and IT teams to sift through all of the noise. What logs you gather will largely depend on the organization’s individual needs, but you should always gather logs pertaining to:

• Validation failures
• Access control failures
• Authentication successes and failures
• User and customer opt-ins like terms and conditions
• Changes in user privileges
• All log-in processes

The challenge of log gathering is that even if you only collect log data for the most important metrics, you’re still looking at an inordinate amount of event logs. On any given day, a large enterprise can produce hundreds of gigabytes of loggable data. When dealing with that much data, it’s likely that you’ll run into a few common problems.

The first is volume and velocity—there are simply too many event logs coming in too quickly for MSPs to handle effectively. The second is normalization. Since log data comes from a wide variety of data sources—networks, applications, servers, vulnerability reports—the log data you gather will likely be in many different formats. It would take a very long time to manually convert all of that log data into a uniform format for easy comparison and readability. Finally, MSPs must verify each log to make sure the output is accurate, which is an incredibly time-consuming undertaking.

How can MSPs take control of log data and navigate these obstacles? That’s where log management comes in.

What Is log management?

Log management refers to the process of collecting and storing log data generated by an organization’s operating system. A log management tool collects log data coming in from multiple endpoints and provides a centralized location in which to store it. This centralized location makes it easy for security analysts to access and analyze logs as necessary. The log management tool will also tell you how long logs will be stored and which specific logs need to be pulled, depending on what events or variables you want to investigate.

Log management systems are characterized by their log data collection, data retention, log indexing, reporting, and searching capabilities. Not only does a log management system house large amounts of log data for you, it also allows you to search through the database so you can quickly find the information you need. When it comes time to demonstrate compliance with Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI-DSS) regulations, many log management tools have embedded reports you can use to make the auditing process a little smoother.

However, log management does come with its fair share of pain points. For example, since there is so much data coming in at all times, bottlenecking and raw data storage issues can be a problem. What’s more, log management systems often do not have tools in place to help MSPs convert log data into a unified format, so data variability is still a factor. The biggest drawback to log management systems is that they are not automated, meaning a technician will still be responsible for keeping up with your customer’s millions of logs to minimize security risks. Needless to say, log management still necessitates a lot of time and effort.

What Is SIEM?

Security Information Event Management (SIEM) is a system comprised of log analysis products and software, designed to give MSPs a complete overview of network activity. SIEM systems have all of the features of log management systems, plus security capabilities in three key areas—security event management (SEM), security information management (SIM), and security event correlation (SEC). As the name suggests, SIEM approaches log analysis specifically with security in mind.

SIEM collects, analyzes, and reports on log data from various networks, applications, servers, and endpoints on an operating system. Intuitive dashboards offer a bird’s-eye view of the entire organization, and advanced threat detection capabilities alert MSPs to potential security threats in real time. What’s more, SIEM systems also use machine learning to draw connections between seemingly unrelated events that might indicate a security breach.

It’s important to note that SIEM in itself isn’t a security protocol. Rather, it makes your existing security protocols better by facilitating high-quality log analysis, which in turn facilitates more nuanced insights regarding threats and an organization’s vulnerabilities.

SIEM systems are best defined by the following characteristics:

1. Visibility: Built-in dashboards grant MSPs an overview of their customer’s network and provide access to historical log data.
2. Consolidation: Logs from across the organization and contextual information relevant to the logs are collected and stored in one location.
3. Organization: Collected logs are converted into a uniform format and organized into categories for easy reference and recall.
4. Correlation: Event logs are compared using machine learning, algorithms, rules, statistics, and real-time data.
5. Alerts: MSPs receive email, SMS, and SNMP messages whenever a potential threat is detected.
6. Prioritization: Potential security threats are triaged according to importance.
7. Reporting: Reports based on SIEM logging are auto-generated for compliance purposes.

SIEM systems are excellent at detecting security breaches because their complex algorithms can identify even the smallest indicator of a threat. That attention to detail prevents small breaches from snowballing into full-blown cyberattacks. Also, since these tools send out targeted alerts in response to detected threats, MSPs can respond much faster and even effectively stop attacks that are in progress.

Unfortunately, although SIEM is largely automated, it still requires personnel to manage it and configure the system to meet your organization’s needs.

SIEM vs. log management

What’s the difference between SIEM and log management? In the simplest terms, SIEM systems are security applications first and foremost, while log management systems are primarily designed for collecting log data. A log management system can be used for security purposes, but it’s more complicated than what it’s worth. If you want a tool that will help you gather all of your logs in one place, choose a log management system. If you need to use logs to manage security for a large or diverse IT infrastructure, choose a SIEM system.

Another key differentiation is that SIEM is a fully automated system, while log management is not. SIEM features real-time threat analysis, while log management does not. For MSPs, the solution you choose will largely depend on what you have the means, personnel, and time to accomplish. What’s more important is that you have a system in place to analyze your customers’ logs and are able to craft a cybersecurity plan based on that information.