Technically, the SIEM system collects information from all sorts of elements of the IT infrastructure, including personal computers, servers and routers, as well as other information security systems - antiviruses, Firewall, IPS / IDS and so on. The ability to analyze the processes taking place throughout the network creates the prerequisites for identifying correlations between suspicious events. In the event of a real attack, detailed information and guidelines for action provided by some systems help responsible employees respond more quickly to changes in the situation - attempts to penetrate the network, transfer of confidential information, intensify DDoS attacks, and so on.
What is required to use SIEM?
SIEM is a complex tool that allows you to improve the quality of monitoring of IT assets and the operation of information security tools . However, to use the system, it is necessary to have a working information security service in the company. The fact is that SIEM expands the analytical capabilities of other tools, but requires employees to have a ready-made threat model that changes from industry to industry.