Article
Security Information and Event Management (SIEM): Analysis,
Trends, and Usage in Critical Infrastructures
Gustavo González-Granadillo * , Susana González-Zarzosa and Rodrigo Diaz
Citation: González-Granadillo, G.;
González-Zarzosa, S.; Diaz, R.
Security Information and Event
Management (SIEM): Analysis,
Trends, and Usage in Critical
Infrastructures. Sensors 2021, 21, 4759.
https://doi.org/10.3390/s21144759
Academic Editors: Alexios Mylonas
and Nikolaos Pitropakis
Received: 3 June 2021
Accepted: 8 July 2021
Published: 12 July 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Cybersecurity Unit, Atos Research & Innovation, ATOS Spain, 28037 Madrid, Spain;
susana.gzarzosa@atos.net (S.G.-Z.); rodrigo.diaz@atos.net (R.D.)
* Correspondence: gustavo.gonzalez@atos.net
Abstract:
Security Information and Event Management (SIEM) systems have been widely deployed
as a powerful tool to prevent, detect, and react against cyber-attacks. SIEM solutions have evolved
to become comprehensive systems that provide a wide visibility to identify areas of high risks and
proactively focus on mitigation strategies aiming at reducing costs and time for incident response.
Currently, SIEM systems and related solutions are slowly converging with big data analytics tools. We
survey the most widely used SIEMs regarding their critical functionality and provide an analysis of
external factors affecting the SIEM landscape in mid and long-term. A list of potential enhancements
for the next generation of SIEMs is provided as part of the review of existing solutions as well as an
analysis on their benefits and usage in critical infrastructures.
Keywords: evolution of SIEMs; SIEM enhancement; SIEM trends; critical infrastructures
1. Introduction
Cybersecurity risks affecting industrial control systems (ICT) have grown enormously
during the past couple of years, mainly due to increased activity by nation-states and cyber
criminals. Attackers have become more sophisticated and dangerous and their appropriate
and timely detection has become a real challenge. Examples of current cybersecurity
incidents affecting IT and ICT are [
1
]: ransomware attacks; malware having impact on
the utility’s ability to conduct business and operations; phishing campaigns directed to
executives, executive assistants, SCADA engineers, IT administrators or other privileged
users; business email compromise incidents, including account takeover or impersonation
of executives; data leakage and thefts; social engineering to gather sensitive information
from personnel.
According to a recent report from NIST [
2
], cybersecurity solutions in industrial con-
trol systems should provide real-time behavioral anomaly detection, enable faster incident
management and allow for intelligent visualization of the network and all its intercon-
nected nodes. Security Information and Event Management (SIEM) systems consider the
aforementioned capabilities as built-in features.
In general, SIEMs have the capacity to collect, aggregate, store, and correlate events
generated by a managed infrastructure [
3
]. They constitute the central platform of modern
security operations centers as they gather events from multiple sensors (intrusion detection
systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views of
the alerts for threat handling and security reporting [
4
,
5
]. Besides these key capacities,
there are many differences between the existing systems that normally reflect the different
positions of SIEMs in the market.
Several companies have developed SIEM software products in order to detect network
attacks and anomalies in an IT system infrastructure. Among them, we can find classical IT
companies (e.g., HP, IBM, Intel, McAfee), others with more visionary options (e.g., AT&T
Cybersecurity/AlienVault’s SIEMs), and promising tools to be taken into consideration in
a SIEM context (e.g., Splunk).
Sensors 2021, 21, 4759. https://doi.org/10.3390/s21144759 https://www.mdpi.com/journal/sensors
