How SIEM works

A SIEM system collects all data relevant to IT security at a central location and examines it for irregularities. The centralised view makes it easier to notice trends and patterns that deviate from the usual pattern and indicate dangerous activities.

The data is usually collected by so-called software agents. They monitor important points of IT security such as firewalls, servers, routers, intrusion detection systems (IDS), intrusion prevention systems (IPS) and various applications. The SIEM structures the collected data and compares it with the normal state. In this way, it can determine whether someone is trying to gain unauthorised access to a firewall or to crack a password – e.g. in the case of an accumulation of incorrect login attempts. If a potential problem is detected, the system sends an alarm, logs the event and can automatically limit or even stop ongoing attacks via connected tools.

What are the goals of SIEM?

A SIEM solution greatly facilitates security management by automatically monitoring and assessing large amounts of security-related data in real time. In this way, incidents are detected that might otherwise not have been discovered. From the logged data, the system creates a timeline of the attack and even compliance and audit reports. From this information, conclusions can be drawn about its nature and impact on the company. This allows security personnel to respond properly to threats and to identify the origin of the attack and compromised systems. The fact that possible scenarios have already been thought through in detail in advance enables confident action in the event of an emergency.

Conclusion

The main advantages of a SIEM system are thus:

– Threats are detected quickly and reliably.

– The right countermeasures are initiated immediately.

– This means that the damage caused can be limited.

– Security-relevant events are stored in an audit-proof manner.

SIEM and essendi xc

Our certificate manager essendi xc can also be integrated into a SIEM solution and forward its messages to a SIEM system. xc itself is protected against cyber-attacks by various precautions. The audit log documents all actions that users initiate via the tool, starting with the system logon. With the help of templates and policies, certificates can be applied for in a compliant manner. Role-based access and authorisations ensure that users only see and edit certificates for which they are authorised. In addition, xc checks the certificate inventory at set intervals, notices unauthorised deviations and sends a corresponding warning message.