The main difference between a security information and event management (SIEM) solution and an intrusion detection system (IDS) is that SIEM tools allow users to take preventive actions against cyberattacks while IDS only detects and reports events.
What is Security Information and Event Management (SIEM)?
Security information and event management (SIEM) is an approach to cybersecurity combining:
- Security information management (SIM): Collects log data for analysis, alerting responsible individuals of security threats and events
- Security event management (SEM): Conducts real-time system monitoring, notifies network admins of important issues, and establishes event correlations
Note: the acronym SIEM is pronounced "sim" with a silent e.
The underlying principles of any SIEM system are to aggregate data, identify deviations from the norm, and suggest appropriate actions. For example, when a network security issue is detected, a SIEM solution might log event data, generate an alert, and instruct other security devices to mitigate the issue.
SIEM technology plays an important part in any data security strategy without it, IT staff lack a place to view all logs and events, which can cause people to miss issues.
The core components of a SIEM include:
- Log event collection and management
- Ability to analyze events and other data from different sources
- Operational capabilities like incident management, dashboards, and reporting
- Support for open-source threat intelligence feeds
- Compliance and security incident management
These components provide a range of benefits:
- Less time between identifying and mitigating threats
- A holistic view of your organization's InfoSec environment
- Support for multiple use cases around data and log management, including security policies, audit and compliance reporting, as well as help desk and network troubleshooting
- Threat detection and security alerts
- Improved digital forensics in the event of a major security breach
What is an Intrusion Detection System (IDS)?
An intrusion detection system (IDS) is a device or software application that monitors a network or system for malicious activity and policy violations.
Most IDS will detect suspicious activity via one of the following detection methods:
- Signature-based detection: Detects attacks by looking for specific patterns in network traffic or via signatures of known malware. The term signature originates from antivirus software that refers to malicious instruction sequences as signatures. Signature-based IDS are great for detecting known cyberattacks, but struggle to defend against novel security threats.
- Anomaly-based detection: Detects computer and network intrusions and misuse by classifying system activity as normal or anomalous. This type of security solution was developed to detect unknown attacks, in response to the rapid development of new types of malware. This type of IDS typically uses machine learning to create a model of trustworthy activity and then compares new behavior to the baseline. When there is a discrepancy, an alert is sent to a security operations center (SOC) or security specialist. Since these models can be trained against your specific enterprise network, they can better generalized properties when compared to signature-based IDS. The downside is they suffer from more false positives.
- Reputation-based detection: Recognizes potential security incidents based on reputation scores.
IDS systems can range from single computers to large networks and are commonly grouped into two types:
- Network intrusion detection system (NIDS): NIDS are placed at strategic points within networks to analyze network traffic to and from devices. They then perform an analysis of passing traffic to a library of known attacks, when an attack is identified, an alert is sent to an administrator.
- Host-based intrusion detection systems (HIDS): Runs and monitors important files on an individual host or device. HIDS monitors the inbound and outbound packets from the device and alerts the user if suspicious activity is detected. They take snapshots of existing system files and match them against previous snapshots if critical files have been modified or deleted an alert is raised.
While it's easy to confuse intrusion detection systems and intrusion prevention systems, they are two distinct technologies. Read our guide on the differences between IDS/IPS here.
How SIEM and IDS Work Together
SIEM and IDS are generally used together to detect and prevent unauthorized access or exposure of sensitive data.
Like a SIEM, an IDS can keep event logs. However, they don't have the capability to centralize and correlate event data across different systems. That's why IDS tools are used to detect malicious or suspicious activity, which is then used to alert a SIEM. From there, the incident response team can analyze the data in one place to understand whether it poses a threat.
