Why do we need SIEM

SIEM - Security Information and Event Management

Know-how »SAP Security» SIEM - Security Information and Event Management
- November 27, 2019

SIEM stands for Security Information and Event Management and is a holistic approach in the field of IT security. Corresponding software records, stores and analyzes log files and messages from the systems used in order to identify deviations from the norms and possible security incidents in real time.

Detailed definition and purpose

SIEM is a combination of Security Information Management (SIM) and Security Event Management (SEM).

SIM is responsible for the collection, storage and normalization of various log data from applications, operating systems, hardware and IT security solutions. The data collected make it possible to analyze security incidents retrospectively and investigate them forensically.

SEM also collects and stores log data from various sources, but puts them in a mutual relationship. If the subsequent analysis reveals a deviation from defined criteria, SEM sounds an alarm in real time. In this way, critical trends, unusual patterns and attacks are immediately visible.

These events are often visualized using dashboards. Companies can immediately and purposefully initiate countermeasures based on the well-founded information.

The latest generation of Security Information and Event Management uses machine learning methods to identify conspicuous patterns. Here, an artificial intelligence learns the normal state in order to independently recognize deviations in the second step.

Today, SIEM is an almost indispensable component of any IT security strategy. Not only does the Federal Data Protection Act (BDSG) require an immediate response to security incidents. Certifications such as ISO, SOX and Basel II also formulate corresponding requirements. Of course, the self-interest of companies and organizations to comprehensively protect sensitive data is also in the foreground.


The basic idea of ​​security information and event management is to bring together all security-relevant data in a central system. Within this holistic database it is then possible to identify trends and patterns that indicate threats. Data collection and interpretation take place in real time.

E-book SAP authorization concept

Why an authorization concept? Which elements should it contain and which tools facilitate the authorization design?

E-book SAP authorization concept

Important data sources for a SIEM

  • Firewalls
  • Router
  • server
  • Applications
  • Active Directory
  • VPN gateways
  • Terminals
  • Intrusion Detection Systems (IDS)
  • Intrusion Prevention Systems (IPS)

The collection of data from these sources is often done through software agents. These are in use around the clock and also transfer data to a central management entity.

This central station is then used to store, structure, normalize and analyze the information. Approaches such as machine learning, AI, rules and correlation models are used to relate the entries and identify conspicuous patterns.

Integration and operating models

In order to use SIEM optimally, the corresponding tools should ideally be integrated into the entire IT landscape. Companies with complex system landscapes and numerous applications are particularly susceptible to attacks.

As far as the operating model is concerned, there are different options available. First of all, the SIEM system can be installed and operated locally. In this case, it is important that the organization has its own IT security team that checks the SIEM warnings and takes further steps. This must be guaranteed around the clock.

Another variant is “Managed SIEM”. The system is also hosted locally here, but warning messages are forwarded to external IT security specialists. Alternatively, the rental model “SIEM-as-a-Service” is also available. These are cloud-based solutions that can often be implemented particularly quickly.


Used correctly, the SIEM provides an overview of all security-relevant events in IT environments. It also helps companies and organizations to implement legal requirements and compliance guidelines.

A major advantage is the possibility of real-time reaction to security events. But even in retrospect, SIEM provides important evidence of relevant events, as it documents incidents in a tamper-proof and audit-proof manner. Last but not least, the Security Information and Event Management ensures an optimized use of human resources by alerting the IT security team in a targeted manner and making suggestions for measures. In general, automation for SIEM reduces the need for staff.

E-book SAP Security and Authorizations

Over 200 specialist articles from around nine years on around 800 pages - tips, tricks and tutorials with screenshots from real SAP systems.

E-book SAP Security and Authorizations

Limits and disadvantages

Not every SIEM solution is able to integrate all relevant data sources. This applies, for example, to ERP systems such as SAP and to hybrid infrastructures made up of local systems and cloud components. Furthermore, some SIEM systems are reaching the limits of their performance due to the steadily increasing amounts of data (big data).

In particular, SIEM solutions based on static rules can also lead to an increased rate of false positives. Even the smallest deviations can trigger these alarms, which unnecessarily burdens the IT staff.

The disadvantages mostly apply to traditional SIEM solutions. In the “Next Gen SIEM”, the latest generation of SIEM, there are hardly any weak points.

Typical use cases

The SIEM can uncover various suspicious activities on a network. For example, if a user tries repeatedly to log on to different applications but is suddenly successful, this can indicate a critical incident. Even dialing into a network from different locations via VPN within a short time can be classified as suspicious by Security Information and Event Management.

However, a SIEM does not only focus on the analysis of events. Numerous solutions now contain “User and Entity Behavior Analytics” (UEBA) to monitor user behavior on the basis of artificial intelligence. In this case, the SIEM creates behavior profiles that can include network activities, logins and file access, among other things. If the system detects, for example, that a user is trying to send sensitive data, this is an indication of possible data theft. If unusual activities are carried out on a device, it can be assumed that it has been hacked.