What is network security?

"Network security" refers to any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and stops them from entering or spreading on your network.

How does network security work?

Network security combines multiple layers of defenses at the edge and in the network. Each network security layer implements policies and controls. Authorized users gain access to network resources, but malicious actors are blocked from carrying out exploits and threats.

How do I benefit from network security?

Digitization has transformed our world. How we live, work, play, and learn have all changed. Every organization that wants to deliver the services that customers and employees demand must protect its network. Network security also helps you protect proprietary information from attack. Ultimately it protects your reputation.

Types of network security


Digitization has transformed our world. How we live, work, play, and learn have all changed. Every organization that wants to deliver the services that customers and employees demand must protect its network. Network security also helps you protect proprietary information from attack. Ultimately it protects your reputation.

Cisco Identity Services Engine


"Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware, and spyware. Sometimes malware will infect a network but lie dormant for days or even weeks. The best antimalware programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies, remove malware, and fix damage.

Advanced Malware Protection


Any software you use to run your business needs to be protected, whether your IT staff builds it or whether you buy it. Unfortunately, any application may contain holes, or vulnerabilities, that attackers can use to infiltrate your network. Application security encompasses the hardware, software, and processes you use to close those holes.

Services for Security


"To detect abnormal network behavior, you must know what normal behavior looks like. Behavioral analytics tools automatically discern activities that deviate from the norm. Your security team can then better identify indicators of compromise that pose a potential problem and quickly remediate threats.

Cognitive Threat Analytics  |  Stealthwatch  |  Network as a Sensor


Organizations must make sure that their staff does not send sensitive information outside the network. Data loss prevention, or DLP, technologies can stop people from uploading, forwarding, or even printing critical information in an unsafe manner.

Data Loss Prevention


Email gateways are the number one threat vector for a security breach. Attackers use personal information and social engineering tactics to build sophisticated phishing campaigns to deceive recipients and send them to sites serving up malware. An email security application blocks incoming attacks and controls outbound messages to prevent the loss of sensitive data.

Email Security Appliance | Cloud Email Security


Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware, software, or both. Cisco offers unified threat management (UTM) devices and threat-focused next-generation firewalls.

More about firewalls


An intrusion prevention system (IPS) scans network traffic to actively block attacks. Cisco Next-Generation IPS (NGIPS) appliances do this by correlating huge amounts of global threat intelligence to not only block malicious activity but also track the progression of suspect files and malware across the network to prevent the spread of outbreaks and reinfection.

Learn the fundamentals of IPS


Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3 years, 90 percent of IT organizations may support corporate applications on personal mobile devices. Of course, you need to control which devices can access your network. You will also need to configure their connections to keep network traffic private.

Mobile Device Management


Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier. Ideally, the classifications are based on endpoint identity, not mere IP addresses. You can assign access rights based on role, location, and more so that the right level of access is given to the right people and suspicious devices are contained and remediated.

Cisco TrustSec | Network as an Enforcer


SIEM products pull together the information that your security staff needs to identify and respond to threats. These products come in various forms, including physical and virtual appliances and server software.

Identity Services Engine with SIEM


A virtual private network encrypts the connection from an endpoint to a network, often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to authenticate the communication between device and network.

VPN and Endpoint Security Clients


A web security solution will control your staff’s web use, block web-based threats, and deny access to malicious websites. It will protect your web gateway on site or in the cloud. "Web security" also refers to the steps you take to protect your own website.

Web Security | Cloud Web Security


Wireless networks are not as secure as wired ones. Without stringent security measures, installing a wireless LAN can be like putting Ethernet ports everywhere, including the parking lot. To prevent an exploit from taking hold, you need products specifically designed to protect a wireless network.

Cisco Aironet AP Module for Wireless Security

What Is SIEM?

Security information and event management (SIEM) is a single security management system that offers full visibility into activity within your network — which empowers you to respond to threats in real time. It collects, parses and categorizes machine data from a wide range of sources, then analyzes the data to provide insights so you can act accordingly.

A SIEM solution ingests and combs through a high volume of data in mere seconds to find and alert on unusual behavior, offering real-time insight to protect your business — a task that would otherwise be impossible to execute manually. At any moment, SIEM (pronounced “sim”) provides you with a snapshot of your IT infrastructure, while allowing you to store and manage log data to ensure compliance with industry regulations. This ability to analyze data from all network applications and hardware in real time can help organizations stay ahead of internal and external threats.

SIEM has been around for more than a decade and has evolved considerably since Gartner coined the term in 2005. It may not have the buzz of AI technologies, but it’s still critical for threat detection in an increasingly complex and fast-moving IT and security landscape.Related security concepts are SEM (security event management) and SIM (security information management). SIM focuses on collecting and managing logs and other security data, while SEM involves real-time analysis and reporting. Generally, SIEM systems combine these two security information management disciplines.

In this article, we’ll explore the essential features and functions of SIEM, and how to choose the right SIEM tool.

SIEM Overview

How does SIEM work?

A SIEM system aggregates event data across disparate sources within your network infrastructure, including servers, systems, devices and applications, from perimeter to end user. Ultimately, a SIEM solution offers a centralized view with additional insights, combining context information about your users, assets and more. It consolidates and analyzes the data for deviations against behavioral rules defined by your organization to identify potential threats.

Data sources include:

  • Network devices: Routers, switches, bridges, wireless access points, modems, line drivers, hubs

  • Servers: Web, proxy, mail, FTP

  • Security devices: IDP/IPS, firewalls, antivirus software, content filter devices, intrusion detection appliances

  • Applications: Any software used on any of the above devices

Attributes that may be analyzed include users, event types, IP addresses, memory, processes and more. SIEM products will categorize deviations as, for example, “failed login,” “account change” or “potential malware.” A deviation causes the system to alert security analysts and/or act to suspend the unusual activity. You set the guidelines for what triggers an alert and establish the procedures for dealing with suspected malicious activity.

what siem does

A SIEM system also picks up on patterns and anomalous behavior, so if a single event doesn’t raise a red flag, the SIEM can eventually detect a correlation across multiple events that would otherwise go undetected, and trigger an alert.Finally, a SIEM solution will store these logs in a database, allowing you to conduct deeper forensic investigations or prove that you are meeting compliance requirements.

What is a SIEM tool?

Your SIEM tool is the software that acts as an analytics-driven security command center. All event data is collected in a centralized location. The SIEM tool does the parsing and categorizing for you, but more importantly, it provides context that gives security analysts deeper insight regarding security events across their infrastructure.

SIEM technologies vary in scope, from basic log management and alerting functionality to robust dashboards, machine learning and the ability to conduct deep dives into historical data for analysis. Leading solutions may provide dozens of dashboards, including:

  • An overview of notable events in your environment that represent potential security incidents.

  • Details of all notable events identified in your environment, so you can undertake triage.

  • A workbook of all open investigations, allowing you to track your progress and activity while investigating multiple security incidents.

  • Risk analysis that lets you score systems and users across your network to identify risks.

  • Threat intelligence designed to add context to your security incidents and identify known malicious actors in your environment.

  • Protocol intelligence using captured packet data to provide network insights that are relevant to your security investigations, allowing you to identify suspicious traffic, DNS activity and email activity.

  • User intelligence lets you investigate and monitor the activity of users and assets in your environment.

  • Web intelligence to analyze web traffic in your network.

Nontraditional tools are also making their way into the SIEM space, particularly user behavior analytics (UBA). UBA, also called user and entity behavior analytics (UEBA), is used to discover and remediate internal and external threats. While UBA is often seen as a more advanced security use case, it’s increasingly folded into the SIEM category. For instance, the Gartner Magic Quadrant for SIEM considers information about UBA/UEBA offerings.

It’s the ability to slice and dice data, providing greater insight and more robust threat detection, that sets a modern SIEM tool apart from legacy solutions. This type of analysis would be nearly impossible to perform manually, but a SIEM tool can make it happen with just a few clicks.

Modern SIEM solutions can be deployed on-premises, in the cloud or in a hybrid environment, and most are designed to scale as your business changes and grows.

What is SIEM’s role in the SOC?

SIEM’s role is to provide analysts in the SOC (security operations center) with consolidated insights from analysis of event data too varied and voluminous for manual review. SIEM analysis of machine data and log files can surface malicious activity and trigger automated responses, significantly improving response time against attacks. 

 While SOCs existed before SIEM came along, SIEM is a vital tool for the modern SOC’s mission to respond to internal and external attacks, simplify threat management, minimize risk, and achieve organization-wide visibility and security intelligence.

what does a soc do image

Getting Started

How do you get the most value from SIEM?

The best way to get maximum value from your SIEM solution is to understand the needs of your business, the risks inherent to your industry and to invest time in finding the right solution — and then working to continually improve it.

To build the solid foundation needed to realize the value of your SIEM tool, follow these best practices:


  1. Spend time planning and reviewing: What do you want SIEM to do for your business? Establish specific goals. This is key to ensuring that you pick the right SIEM tool to achieve what you set out to do. Do your homework. SIEM is complex and deployment can be lengthy, so don’t skimp on your initial research.

  2. Don’t expect to fix it and forget it: Once you’ve deployed your system, you can’t expect the tool to work if you don’t maintain it. Even the most intuitive tools require you to continually review the system and make adjustments as your business adapts to change.

  3. Establish procedures and monitor them closely: You must establish the criteria for generating alerts and determine the actions the tool should take in response to suspected malicious activity. Otherwise, your IT team will be overwhelmed with alerts — many of them false. Establish those procedures and keep tweaking them as needed to reduce false alarms and keep your staff focused on real threats.

  4. Employ experienced staff: SIEM makes life easier for your IT and security department, but it doesn’t replace your people. You need to train staff to implement, maintain and continually fine-tune the solution to keep up with the changing IT and security landscape.

How do you get started with SIEM?

The first step in any SIEM deployment is to prioritize the use cases for your business. What are your objectives? While most SIEM tools will provide use cases that typically apply to every customer in the form of rule sets, they aren’t necessarily the priorities of your business. The needs and objectives for manufacturing, healthcare, financial services, retail, public sector, etc., can vary widely.

As you decide how to implement SIEM in your organization, consider:


  • How much and what type of data you’ll have available within the system.

  • The level of internal expertise you have and the ability to train IT or security personnel to implement, manage and maintain the SIEM.

  • Whether your organization is growing and at what rate.

  • How large and sprawling your network is (e.g., number of remote locations and the degree of user mobility).

  • Your compliance obligations.

  • Your budget.


All of these factors can help guide you in your decision and implementation process.

Additionally, identify not only the immediate needs of your organization but also a path to scale up your security functionality that accounts both for projected growth and increasing security maturity. For instance, a smaller business or less mature security organization might start with basic event collection, steadily evolving more robust capabilities such as UEBA and SOAR (security orchestration, automation and response).

Outlining your use cases and security road map will allow your SOC and IT team to look at your many sources of event data and make sure that correct, complete, usable data is provided to the tool. Your SIEM can only be as good as the data you feed it.

How do you choose the right SIEM solution?

When you’re ready to make a decision, you’ll find that you have plenty of options to consider. As you’re evaluating tools, these are the key features to look for in a SIEM:


  1. Real-time monitoring: Attacks come quickly, and the longer you wait to address them, the more damage they do. Your SIEM should offer you a real-time, bird’s-eye view of what’s happening within your network, including activity associated with users, devices and applications, as well as any activity not specifically attached to an identity. You need monitoring capabilities that can be applied to any on-premises, cloud or hybrid data set.

    Beyond the monitoring aspect, you need the ability to synthesize the information into a format that’s usable. Choose a SIEM with a library of customizable, predefined correlation rules, a security event console to provide a real-time presentation of security incidents and events, and dashboards to provide live visualizations of threat activity.

  2. Incident response: Most importantly, an analytics-driven SIEM needs to include auto-response capabilities that can disrupt cyberattacks in progress. It should also offer you the ability to identify notable events and their status, indicate the severity of events, start a remediation process, and provide an audit of the entire process surrounding that incident.

  3. User monitoring: Some threats could be internal, either because users represent an actual threat or because their behaviors open the organization to outside threats. At the most basic level, your SIEM tool should offer you the ability to analyze access and authentication data, establish user context, and provide alerts relating to suspicious behavior and violations of corporate and regulatory policies. If you are responsible for compliance reporting, you may also need to monitor privileged users — users who are especially likely to be targeted by an attack — a common requirement for compliance reporting in most regulated industries.

  4. Threat intelligence: Your SIEM should help you identify key external threats, such as known zero-day exploits and advanced persistent threats. Threat intelligence offers you the ability not only to recognize abnormal activity, but to identify weaknesses in your security posture before they're exploited, and plan responses and remediations.

  5. Advanced analytics and machine learning: All the data in the world won’t do you a bit of good if you can’t use it to gain clear insights. Advanced analytics employs sophisticated quantitative methods, such as statistics, descriptive and predictive data mining, simulation and optimization to provide deeper insight.

    SIEM tools powered by machine learning are capable of learning over time what represents normal behavior and what is a true deviation, improving their accuracy. This is especially critical today, given that technology, attack vectors and hacker sophistication evolve faster than ever.

  6. Advanced threat detection: Since most firewalls and intrusion protection systems struggle to adapt to new advanced threats, you want your SIEM to be able to conduct a combination of network security monitoring, endpoint detection, response sandboxing and behavior analytics to identify and quarantine new potential threats. It’s more than just detecting the threat. You want to understand how serious the threat is, where it moves after being detected and how to contain it.

  7. Seamless log management: Not only should your SIEM be able to collect data from hundreds, even thousands of sources, but it must offer a user-friendly, intuitive interface that you can actually use to manage and retrieve log data.

  8. Scalability: Ensure that your SIEM choice can meet your needs now and in the future, specifically as your business grows and your IT footprint expands.

What is the best SIEM solution?

That’s the question that will inevitably follow once you have a basic understanding of SIEM: How do I choose the best SIEM solution for my industry, threat profile, organization and budget?

This depends on what you’re looking for. You want something that can handle modern volumes of data, the sophistication of today’s attacks, and the need to drive smart, real-time incident response. Magic Quadrant for Security Information and Event Management 2018” to learn about industry leaders as well as new faces.

© UNITY DATA TECHNOLOGY LLC All rights reserved    备案号:京ICP备19042631号-1    Technical support:support@unitynetech.mn