Monitoring and SIEM

SIEM (Security Information and Event Management) aggregates and analyses security data from the entire IT environment in real time. It gives organisations a central overview of security events and makes it possible to detect threats before they cause damage.

Back to Dictionary

What is monitoring and SIEM?

Security monitoring is about keeping watch over what is happening in the organisation's IT environment. Without monitoring, attackers can operate undetected for weeks or months. SIEM is the technology platform that makes systematic monitoring possible.

A SIEM system collects log data from all IT systems: firewalls, endpoints, servers, identity systems, cloud services and applications. It normalises data into a common format, correlates events across sources and analyses them to identify threats.

SIEM is central to incident response. When a threat is detected, SIEM provides the context the security team needs to understand the scope and respond quickly. It is also critical for documenting compliance with regulatory requirements.

SIEM capabilities

A modern SIEM system offers:

Log collection: Centralised collection of logs from all data sources. Normalisation ensures that data from different vendors can be compared.
Correlation: Links events from multiple sources to detect patterns. A single failed login is innocuous; hundreds from different IPs against the same account is a brute-force attack.
Real-time alerting: Triggers alerts based on predefined rules and threat intelligence. Prioritisation ensures the security team focuses on the most critical events.
Behavioural analysis (UEBA): User and Entity Behaviour Analytics identifies abnormal behaviour that deviates from baseline. It catches insider threats and compromised accounts.
Forensic analysis: The ability to search historical data to investigate incidents and understand attack chains.
Dashboards and reporting: Overview of security status, trends and compliance metrics.

SOAR (Security Orchestration, Automation and Response) can be integrated with SIEM to automate responses to known threat types, for example automatically blocking suspicious IP addresses.

Implementation

A SIEM implementation requires planning:

Define scope: Start with the most important data sources. Firewalls, endpoint security, Active Directory and email security are typical starting points. Expand gradually to include DNS logs, DLP events and application logs.

Create detection rules: Define what should trigger alerts. Use threat intelligence and frameworks such as MITRE ATT&CK to structure detection. Start with known attack patterns and expand with behaviour-based detection.

Reduce noise: Too many alerts is just as problematic as too few. Fine-tune rules to reduce false positives, and prioritise alerts based on criticality.

Staffing: SIEM requires skilled analysts who can assess alerts and investigate incidents. A Security Operations Centre (SOC) can be run internally or outsourced to a Managed Security Service Provider (MSSP).

Combine SIEM with penetration tests and vulnerability scanning to validate that detection rules catch real attacks.

Regulations and standards

NIS2 imposes direct requirements on monitoring and incident detection. Organisations must be able to detect, analyse and report security incidents within tight timeframes.

ISO 27001 and Annex A include controls for monitoring (A.8.15-A.8.16) and logging (A.8.15). An ISMS should define monitoring requirements as part of technical and organisational measures.

DORA requires financial institutions to have continuous monitoring of ICT systems. CIS 18 dedicates Control 8 to audit log management. Under GDPR, monitoring helps detect data breaches early and meet the 72-hour notification obligation.

Frequently Asked Questions about Monitoring and SIEM

What is the difference between logging and SIEM?

Logging is the collection and storage of event data from systems. SIEM collects logs from many sources, correlates them, analyses them using rules and machine learning, and generates alerts on suspicious activity. SIEM provides the overview and context that raw logs do not.

What is SOAR?

SOAR (Security Orchestration, Automation and Response) automates the response to security incidents. When SIEM detects a threat, SOAR can automatically isolate a device, block an IP address or create an incident ticket. It reduces response time significantly.

Do small organisations need SIEM?

Yes, but the solution can be scaled. Cloud-based SIEM services and Managed Security Service Providers (MSSPs) make SIEM accessible to smaller organisations without the need for their own infrastructure and specialists.

Which data sources should be connected to SIEM?

Start with the most important: firewalls, endpoint security, identity management (Active Directory), email security and critical servers. Expand gradually with application logs, cloud services and network equipment.