What is a SIEM?
SIEM stands for Security Information and Event Management. It is a technology platform that collects, correlates, analyses, and visualises security-relevant data in order to detect and investigate cyber threats.
A SIEM system provides Real-time insight into what is happening within an organisation at the network, system, and application level, and plays a central role in Defense in Depth and incident response.
🧠 What does a SIEM do?
A SIEM combines two functions:
- SIM (Security Information Management): Collecting, retaining, and analysing log files
- SEM (Security Event Management): Real-time monitoring and alerting on suspicious events
🛠️ Functions of a SIEM
| Function | Description |
|---|---|
| Log collection | Ingesting logs from Firewall, servers, SCADA, PLC, network equipment |
| Normalisation | Converting to a uniform format for analysis |
| Correlation | Recognising patterns across multiple systems |
| Alerting & detection | Warning of suspicious or unusual activity |
| Dashboards & reporting | Visualising status, trends, and compliance |
| Forensic analysis | Investigating incidents and the origin of attacks |
🏭 SIEM in industrial (OT) networks
Although SIEM systems traditionally come from IT, they are increasingly used in OT environments. They can:
- Detect attacks on PLCs or SCADA systems
- Signal unexpected network connections or Remote Access attempts
- Log changes to setpoints, user privileges, or firmware
- Automatically recognise CVEs and indicators of compromise (IOCs)
🔐 By linking SIEM data to zones and conduits model segmentation, context-aware detection emerges.
🔧 Common SIEM solutions
- Microsoft Sentinel
- Splunk
- IBM QRadar
- Elastic SIEM
- ArcSight
- Open source: Wazuh, OSSIM
📌 In summary
A SIEM is a powerful platform for centralised security monitoring. It helps organisations detect threats early, investigate incidents, and comply with security frameworks such as ISO 27001, BIO, or CSIR.