What Separates a SIEM Platform from a Logging Tool?
Today, the lines are blurring between logging tools and Security Information and Event Management (SIEM) tools. Many logging tools have added a product page to their respective websites claiming they also do SIEM. This can be confusing if you’re in the market for a security solution. It does sound attractive to have a two-in-one tool that does both logging and SIEM. It is convenient, and may even be cost-effective. However, no organization wants to take a chance with security. It is important to know the difference between the two before making a buy decision.
There are quite a few similarities between the two, especially at the top-level and in their shared goals. Here are a few of the similarities:
- Monitoring of event data: The goal of both logging and SIEM is to monitor the system and take action to improve the system. Both collect event data from different parts of the system and present this data to administrators in an actionable way.
- Scaling of event data: Large organizations can collect hundreds of Gigabytes of data per day and need to consider scaling challenges. They need to plan for data storage, the right data resolution, and enabling quick analysis of the event data.
- Compliance: Both logging and SIEM play a role in enforcing compliance. Whether it’s PCI DSS, HIPAA or FISMA, organizations needing to comply with these regulations leverage logging and SIEM tools to do so.
It may seem like logging and SIEM are two sides of a coin. However, digging deeper reveals key differences between the two.
Differences Between Logging and SIEM
The fundamental difference between the two is that logging tools are meant to improve system performance and system health, whereas SIEM tools are purpose-built for security. The former is used by system administrators and site reliability engineers (SREs), while the latter is used by dedicated security operations (SecOps) teams.
Logging tools collect log files from different parts of the system and analyze the logs in these files. SIEM tools gather event data from users, devices, and services for the purpose of security analysis, adding contextual enrichment to correlate event data and glean security insights.
Other differences include:
- Parsing: Logging uses on-the-fly parsing of data where you identify a pattern, apply a value and search through logs. SIEM, on the other hand, parses every event and after parsing annotates, tags, and labels events. Thus, SIEM tools have more robust parsing capabilities.
- Threat and malware detection: While logging tools can indicate threats, this is the domain of SIEM tools. SIEM tools are externally-aware of the prevalent malware and use this information to identify threats and protect the system.
- Rules-based alerts: Logging tools have alerts and notifications, but for more advanced notifications they typically integrate with an incident management tool like PagerDuty or VictorOps. SIEM tools require mature rules-based alerting built into the system. SIEMs go so far as to suppress and reduce unimportant and false alerts. They do this by using context to prioritize alerts.
- Profiling: To achieve awareness of events SIEM tools need to be aware of the assets of an organization such as offices, employees, teams, hierarchy, and individual user behavior. Modern SIEM tools use this information to create a baseline profile for each user, role, team, and location. If a deviation from this baseline occurs the SIEM notices and alerts the administrator of the anomaly. This type of user behavior tracking is commonly known as UEBA (User and Entity Behavior Analytics).
Top Logging Solutions Available Today
There are numerous SIEM tooling options on the market today that fit the bill as legitimate SIEM solutions, and not logging tools with some SIEM features added on. Here is a list of the top SIEM tools available today:
- Splunk: One of the leaders in the enterprise SIEM space, Splunk is a widely used SIEM solution with cutting-edge SIEM capabilities based on machine learning. Splunk has a wide range of products including logging. However, SIEM is what Splunk specializes in.
- IBM QRadar: As one of the early SIEM solutions, IBM‘s QRadar has helped shape the SIEM industry from the start, and is still used by many large enterprises. QRadar has aged and lacks capabilities like machine learning that modern SIEMs include.
- Arcsight: CyberRes’ Arcsight is one of the older tools that has existed since the year 2,000. It has struggled to keep up with the times and its UI and search speed show room for improvement.
- DNIF: A comparatively younger SIEM solution, DNIF has a unique uncapped licensing model that allows unlimited data capture from devices. DNIF has recently released a community edition of its solution that is free to use without limits or restrictions.
- LogRhythm: This is another robust SIEM tool that enables extensive customization, and powerful search capabilities. Its UI could do with a refresh, but it excels in what really matters — analyzing security events.
Conclusion
As your software systems deal with an ever-widening attack surface, and more complex security threats, the best way to keep these systems secure is to not confuse logging with SIEM. While there are similarities, logging tools do not have the contextual awareness, profiling capabilities, threat detection, and mature alerting that is critical to a SIEM solution.
Disclosure: The author has done some consulting work with Splunk and DNIF