Skip to content

Monitoring Suspicious Network Activity With SIEM

Monitoring Suspicious Network Activity With SIEM

SIEM is a type of software that is intended to serve as an early warning system against cyber attacks of all kinds. One might compare it to traditional antivirus software, except that it tends to be a lot more effective. In simple terms, SIEM (Security Information and Event Management) software is used to monitor and analyze network traffic and system activities in general. If it detects something suspicious, it quickly alerts the admin-level users so that action can be taken. That is the idea behind SIEM software, but it gets a lot more complex than that.

How Does SIEM Software Work?

This kind of program will normally work by collecting all sorts of logs from the system and its various applications. Obviously, network logs are the most important of these because most cyberattacks will come from the network initially. Unless a malevolent party gains physical access to your computer, they have to use the network. Therefore, that network connection represents the “perimeter” of your defenses. SIEM software is meant to monitor this perimeter.

By collecting and analyzing all sorts of logs, SIEM software is able to recognize patterns that are known to be suspect. It does this by comparing the log information from a large database of other logs from known attacks. If the pattern matches with a known method of attack, an alert is issued. In essence, this is the core of how SIEM works: Collecting logs, analyzing logs, and alerting relevant users to any suspicious patterns.

Network Monitoring with SIEM

Most SIEM software will also come with packet monitoring features, which are extremely helpful. Without this, you will have to coordinate your SIEM program with a separate piece of network monitoring software (like Zenmap or Wireshark). At a fundamental level, all internet data consists of “packet” files, which deliver the internet in small but steady amounts. By monitoring these packet files, as well as the sources from which they come, a lot of potential threats can be stopped before they start.

For instance, let’s say an attacker wants to install some malware over the network. It might be disguised as an update for Adobe reader or something like that. However, if the packets are not coming from Adobe’s website (as they should), then you know something is not right. You see, whenever someone tries to connect to your network, a connection request is sent in the form of a special packet. This will contain the IP address of the user, and there is a lot of other information that is connected to that IP address. Even if an attacker has falsified these IP headers, you will at least be able to narrow things down to a single source (which can then be blocked using firewalls, network exclusion, and other tools).

The Human Element

If you are considering the use of SIEM software, there is something you should definitely know. SIEM software is essentially just a warning system. It won’t usually do anything about the attack (other than alerting all admin-level users). To be fair, that is not the purpose of this software, so you can’t really expect otherwise. The response aspect is your responsibility.

This brings us to the importance of the human element. Without competent professionals to monitor and manage its alerts, this software will not be very effective. Even the average person could get some added security from SIEM software, but it takes a qualified individual to get the full benefit. Because of this, SIEM software isn’t the solution for everyone.

If you need something that is simpler and more automated, you might want to consider SOAR software instead. SOAR (Security Orchestration, Automation, and Response) software will actually do something about an attack without being directed by a human. Obviously, it has to be programmed effectively, but it can definitely reduce the need for human supervision. When we say “programmed,” we are mostly referring to the refinement of the detection ruleset. This helps to detect newer threats and reduce false positives, and it does require a little bit of expertise to tweak these rulesets correctly. Thus, the need for expert intervention is not removed, but it is greatly reduced.

Examples Of SIEM In Action

Let’s talk about some real ways in which SIEM software can detect and prevent cyberattacks, using known and specific hacking methods.

Example 1: Phishing

Phishing generally works through impersonation. Specifically, the attacker will masquerade as a legitimate person or site. This is done in order to trick the user into entering sensitive information (especially passwords). Once that information is collected, it is then used for fraudulent or larcenous purposes.

This is where network monitoring comes into play. When the source of a website does not match its outward appearance, a forgery can be detected rather quickly. For instance, if the phony site is pretending to be an online banking portal, its web and IP addresses will not match with the official site for that bank.

Example 2: Ransomware

Ransomware is a type of malware, and it usually begins with a phishing attack. However, even if that succeeds, it can still be detected by a SIEM program. A good SIEM program can be configured to issue alerts whenever software is being downloaded from the internet. Obviously, certain sites can be added to an exclusion list to prevent false positives. Thus, as the software downloads, the SIEM program will probably detect that something is wrong. If nothing else, it will surely issue an alert when the malware starts to do its dirty work.


If you are interested in learning more, you can call PCH Technologies at (856) 754-7500. We offer managed SIEM services, as well as the best IT services in New Jersey.
We offer managed IT services for small business+ all others at a reasonable price. As we said, SIEM usage requires expert input for maximum effectiveness. We can provide that expert input all day long.