SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) IMPLEMENTATION

RECOMMENDATIONS TO ENHANCE NETWORK SECURITY

By

Hugo Caldeira

W
A Capstone Project Submitted to the Faculty of
IE
Utica College
EV

May 2021

In Partial Fulfillment of the Requirements for the Degree of

PR

Master of Science in Cybersecurity

 W
IE
© Copyright 2021 by Hugo Caldeira

All Rights Reserved

EV
PR

ii
 Abstract
Cybersecurity and data security have become an essential part of organizational strategic

planning in the 21st century, especially as more firms are employing technology to run their

operations. As a result, there have been increased attacks on businesses by malicious individuals

for monetary gain, to access sensitive information, or conduct espionage for the benefit of their

competitors. Government agencies, social media sites, networks, databases, and cloud storage

facilities are all experiencing increased attacks. This means businesses must employ stronger

security protocols to address the gaps that makes these business vulnerable to the cyberattacks

occurring daily. Security Information and Event Management (SIEM) is one of the tools

employed by businesses and institutions to centralize the logging of all the data and information

W
across their network into one solution in which can then be used to monitor the collection of data
IE
with advanced capabilities that detect, respond, and protect their networks from threats and

security breaches. Understanding the usefulness of SIEM can help define its viability in
EV
improving network security and helping organizations from incurring losses from cyberattacks.

This research project examined SIEM tools to provide recommendations for their

implementation to bolster network security. This project intended to answer the following
PR

questions on how SIEM tools can influence network security, how cloud-based SIEM tools

compare to on premise SIEM tools, and the factors that affect the selection of open-source versus

license-based SIEM tools.

Keywords: Criminal Justice Administration, Cyber Security Operations, Paul Pantani,

Cloud, SIEM, Open-Source, Network Security

iii
 Table of Contents
Statement of the Problem ................................................................................................................ 1
Purpose Statement ....................................................................................................................... 1
Use of SIEM Tools ...................................................................................................................... 2
Why Organizations Use SIEM .................................................................................................... 3
Literature Review............................................................................................................................ 5
Security Information and Event Management (SIEM) Systems ................................................. 5
Requirements for the Selection of SIEM .................................................................................... 7
A Comparison of Cloud-Based SIEM Tools and On-Premises SIEM tools ............................. 11
Factors that Determine the Selection of Open-Source Versus License-Based SIEM Tools ..... 15
Discussion of the Findings ............................................................................................................ 19
SIEM Tools Influence on Network Security ............................................................................. 19
They Aid Organizations in Security Analysis ........................................................................... 22
Incident Detection ..................................................................................................................... 23
Data Storage .............................................................................................................................. 23
Data Normalization ................................................................................................................... 24
SIEM Tools Aid Compliance .................................................................................................... 24

W
Cloud-Based SIEM Tools Compared to On-Premises SIEM Tools ......................................... 25
Cost............................................................................................................................................ 25
Data Security ............................................................................................................................. 26
IE
Time .......................................................................................................................................... 26
On-Premises SIEM Tools May Lead to Underutilization of Resources and Storage ............... 27
Usability .................................................................................................................................... 27
Factors that affect the selection of open-source versus license-based SIEM tools ................... 28
EV
Cost Involved ............................................................................................................................ 28
The Management ....................................................................................................................... 29
Flexibility .................................................................................................................................. 29
Design and Capabilities ............................................................................................................. 29
Data and Security Analytics ...................................................................................................... 31
PR

Reliability .................................................................................................................................. 31
Limitations of the Study ............................................................................................................ 32
Future Research ......................................................................................................................... 32
Recommendations ..................................................................................................................... 33
Conclusion .................................................................................................................................... 33
References ..................................................................................................................................... 36

iv
 Statement of the Problem

According to the Federal Bureau of Investigation (FBI), there are approximately 30,000

cyberattacks against devices in the U.S. each day, yet only 4,000 of these incidents are reported

(Monster Cloud, 2020). Enhancing network security is a crucial activity every organization needs

to deliberate during these times of elevated cyberattacks and data breaches. SIEM is one of the

tools that can be employed to enhance network security and address challenges. The purpose of

this research project was to examine Security information and event management (SIEM) tools

to provide recommendations for their utilization to bolster network security. This project

intended to answer the following questions: How do SIEM tools influence network security?

W
How do cloud-based SIEM tools compare to on premise SIEM tools? What factors affect the

selection of open-source versus license-based SIEM tools?

Purpose Statement
IE
Since 2016, data breaches and unauthorized access to organizational data are more
EV
common occurrences. Out of the 15 biggest cases of compromise, 2 of the more significant cases

generated more than 3.5 million compromised accounts. This means that the other cases
PR

generated greater numbers of compromise accounts (Swinhoe, 2021). Since the onset of the

COVID-19 pandemic, social engineering attacks and phishing have increased significantly, with

ransomware attacks rising by 800% (Monster Cloud, 2020). Most of these cyberattacks are

directed at corporations, government agencies, and business entities to steal money, conduct

industrial espionage, and mine data that can be used by competitors to gain a competitive

advantage. As many organizations allow their staff to work remotely during the pandemic, this

elevates the level of the attack as most employees were not knowledgeable enough on proper

security practices to undertake. Businesses are turning to tools such as SIEM to bolster their

1
networks against such attacks, identify breaches on time, and make amends to safeguard

customers’ sensitive data (Monster Cloud, 2020).

Use of SIEM Tools

SIEM refers to a set of tools and network services that provides a holistic view of the

nature of the information security of an organization. SIEM provides enterprise security

professionals logs of the activities that occur within their networks and incidences of security

importance that require an urgent response. SIEM is a combination of Security Information

Management (SIM) and Security Event Management (SEM), with the intention of aggregating

W
data from various sources, evaluating the data to identify deviances from the norm, and

responding appropriately to these findings. A SIEM system can identify an abnormality, create
IE
an alert regarding the incidence, and provide instructions to stop activity from proceeding. The

SIM component of SIEM helps in collecting, analyzing, and reporting log data, while SEM
EV
assists in the real-time evaluation of the event and log data, incident correlation, and event

response (Nabil et al., 2017). SIEM technology reduces the time needed for information security
PR

personnel to identify the source of data breaches and the suitable way of solving the issue.

SIEM software usually monitors every aspect of the organizational, technological

infrastructure, from computer networks, host systems, different devices and workstations,

security apparatus such as firewalls and antiviruses, and data input and output events such as

password entry, data copying, and movement, and file erasure procedures. As a result, SIEM’s

can provide vital information such as failed and successful logins, malware activities, phishing

attacks, and data copying through remote access. These tasks are difficult for IT specialists to

decipher in real-time due to the sophisticated nature of tools employed by hackers to access

2
organizations’ systems, and therefore the SIEM’s becomes invaluable in addressing security

breaches before they occur (Nabil et al., 2017).

SIEM tools are expensive, which explains why the global spending on SIEM is only $2.4

billion when $98.4 billion is used on enterprise security. As a result, large organizations are

frequent users of SIEM software, mainly attributed to the need to comply with government

regulations. Small to medium companies find it difficult to implement SIEM technology due to

the cost and the expenses of maintaining a specialized staff well trained on how to use the SIEM

software (Pratt, 2017). However, some cloud-based vendors offer SIEM services through

software-as-a-service (SaaS) modalities for their low-scale clientele. Organizations may choose

W
to build upon open-source SIEM tools such as OSSIM, Apache Metron, and OSSEC without

incurring any expenses and enjoy the possibility of tweaking the settings according to company
IE
needs. Conversely, the maintenance costs may end up being more than the license fee for

commercial SIEM tools, and the software may not be suitable for large deployments.
EV
Additionally, open-source SIEM tools lack many important features found in licensed software,

and the lack of the next-generation SIEM features may increase the risk of cyber threats (Stuart,
PR

2019). Organizations that opt for licensed products benefit from continuous support, software

updates, and next-gen tools.

Why Organizations Use SIEM

The significant factor for deployment of SIEM system is compliance with government

regulations and institutional policies. Regulations such as the Health Insurance Portability and

Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and

Sarbanes-Oxley Act (SOX) require organizations to implement strong data protection protocols

to safeguard their customers’ data and ensure proper security procedures are in place to avoid

3
data breaches. Oftentimes, organizations are required to provide reports on the cause of data

breaches whenever it occurs, while auditors would always want to see whether there is adherence

to the laid down regulations. The regulations help to ensure corporate accountability,

governance, and disclosure to prevent fraudulent activities by entities using their customer’s

information. Companies try to avoid significant losses through litigation costs, fines, and

settlements whenever their customers’ data are compromised, which makes the application of

SIEM tools popular (Jain et al., 2016).

The second reason for the wide application of SIEM tools is that increased technological

advancements impact the need for more sophisticated and powerful SIEM products. The current

W
generation of SIEM tools contains intelligent security assessment capabilities on top of the usual

log data, where they monitor both user and network behaviors to identify malicious activities.
IE
Some SIEM tools contain deep learning, artificial intelligence (AI), cutting-edge statistical

analysis, and machine learning (ML) capabilities that provide fast and more accurate detection of
EV
security threats (Pratt, 2017). Conducting pattern-based observation and alerting, making

inferences, and predictive restoration becomes possible with these tools.

PR

The use of AI in monitoring user behavior with SIEM is important for various reasons.

The primary source of cybersecurity threats to an organization’s data is insiders, someone

granted access to the network, or employees. The main reason is that employees have the

privilege of accessing organization’s data and can be a gateway through which malicious

individuals can use to access the data, can commit errors that lead to data theft, or can be at the

forefront of orchestrating the attacks. Hackers can capitalize on employees’ ignorance to commit

social engineering and email phishing attacks to easily access company information. Mistakes

such as losing a device unprotected by a password, sharing passwords with outsiders, not

4
 securing IT devices properly, and other forms of negligence can end up costing an organization

dearly. Apart from creating proper IT policies and training employees on better ways of ensuring

data security, organizations can use SIEM tools to monitor the activities of these employees,

which allows for prompt intervention whenever an activity is seen as malicious. SIEM tools also

help to identify network weaknesses that may be difficult for the staff to discern and can be

addressed to reduce security risks (Al-Mohannadi et al., 2018). Therefore, SIEM tools with AI

capabilities can help to significantly reduce the cybersecurity threats emanating from insiders

and employees’ negligence.

Literature Review

W
Security Information and Event Management (SIEM) is a system that is designed to

analyze the logs or events from users’ devices, servers, and intrusion detection and prevention
IE
system (IDPS) (Sekharan & Kandasamy, 2017). The information obtained with the aid of SIEM

systems is used to initiate automated responses that can block connections from a specific IP
EV
address. This remediation action provides uninterrupted protection of servers and network

systems from cyber-attacks. Although the application of SIEM tools enables cybersecurity
PR

companies to detect different forms of cyber-attacks, the poor optimization of SIEM tools may

increase the likelihood of a breach in the security system (Podzins & Romanovs, 2019).

Therefore, this project examined the SIEM tools developed to enhance the cybersecurity of

different network systems. Furthermore, this review provides recommendations for the

implementation of these SIEM tools to bolster network security.

Security Information and Event Management (SIEM) Systems

SIEM tools retrieve, sort, and normalize log or event data generated by various applications,

network infrastructure, and cybersecurity devices (Podzins & Romanovs, 2019). This

Reproduced with permission of copyright owner. Further reproduction prohibited without permission.