Safeguard
Best Practices

What is SIEM

SIEM explained: how it works, what data feeds it, how it differs from SOAR/XDR, and where reachability-based supply chain security fills its blind spots.

Michael
Cloud Security Architect
7 min read

Security Information and Event Management (SIEM) is a category of software that collects, normalizes, and correlates log and event data from across an IT environment -- firewalls, endpoints, cloud workloads, identity providers -- into a single system that flags suspicious activity in near real time. Gartner analysts Mark Nicolett and Amrit Williams coined the term in a 2005 research note, merging two older disciplines: security information management (long-term log storage and reporting) and security event management (real-time correlation and alerting). Two decades later, the market has grown to roughly $6.2 billion in 2024 revenue by most industry estimates, anchored by platforms like Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, and Elastic Security. A typical mid-size enterprise SIEM ingests between 50 GB and 500 GB of log data per day, and security teams still take an average of 258 days to identify and contain a breach, according to IBM's 2024 Cost of a Data Breach Report.

How does a SIEM actually work?

A SIEM works by pulling raw logs from many sources into a centralized pipeline, normalizing them into a common schema, and then running correlation rules or machine learning models to surface the handful of events that actually matter. The pipeline generally has four stages: collection (via agents, syslog forwarders, or cloud APIs), normalization (mapping vendor-specific fields into a common schema like Common Event Format or Elastic Common Schema), correlation (rule-based or statistical matching across multiple log sources), and alerting or case creation. IBM QRadar ships with more than 400 Device Support Modules (DSMs) to parse log formats out of the box, while Splunk relies on props.conf and transforms.conf files to define parsing logic for each source type. A concrete correlation rule might combine "5 failed logins from the same source IP within 2 minutes" with "a successful login from a new country immediately afterward" to raise a credential-stuffing alert -- a pattern that maps directly to MITRE ATT&CK technique T1110 (Brute Force).

What data sources typically feed into a SIEM?

A SIEM ingests logs from network devices, endpoints, identity systems, cloud control planes, and applications, most commonly firewalls (Palo Alto Networks, Fortinet), endpoint detection tools (CrowdStrike Falcon, Microsoft Defender for Endpoint), identity providers (Okta, Microsoft Entra ID), cloud audit trails (AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs), and CI/CD systems (GitHub Actions, Jenkins, GitLab CI). Volume varies enormously by source: a single AWS account with moderate activity can generate several million CloudTrail events per day, while a 5,000-endpoint fleet running EDR agents can push 200+ GB of telemetry daily into the SIEM. Most enterprise deployments map ingested sources against the 14 tactics and 200+ techniques in the MITRE ATT&CK framework (version 15, released April 2024) to track detection coverage gaps -- for example, a team might discover it has strong coverage for T1078 (Valid Accounts) but no detections at all for T1195 (Supply Chain Compromise).

How is a SIEM different from SOAR and XDR?

A SIEM centralizes and correlates log data to generate detections, while SOAR (Security Orchestration, Automation and Response) automates the response workflow after a detection fires, and XDR (Extended Detection and Response) narrows telemetry collection to a vendor's own endpoint, network, and cloud sensors with built-in correlation logic. In practice, Splunk SOAR (formerly Phantom) can execute a playbook that automatically quarantines an endpoint via API call the moment a SIEM correlation search fires, cutting a manual 45-minute triage-and-contain workflow down to under 2 minutes. CrowdStrike Falcon XDR, by contrast, correlates its own sensor data natively without requiring separate log shipping through syslog or HTTP Event Collector, the way a traditional SIEM does. Gartner's 2023 and 2024 Magic Quadrant reports both note the categories converging, with vendors like Microsoft and Palo Alto Networks now marketing unified "SIEM/XDR" platforms rather than standalone tools.

What are the biggest operational challenges of running a SIEM?

The three most common SIEM challenges are alert fatigue, ingest-based licensing costs, and detection content that goes stale. Exabeam's 2023 "State of Threat Detection" survey found SOC analysts field an average of 4,484 alerts per day, with roughly 30-50% classified as false positives after investigation -- a volume that drives the analyst burnout and 33% average annual SOC turnover reported in the same study. Cost compounds the problem: Splunk and similar platforms price primarily on daily ingest volume (dollars per GB/day), so an environment generating 200 GB/day can carry a six-figure annual licensing bill before any headcount is added. Detection content also decays as attacker techniques shift; with MITRE ATT&CK now cataloging over 200 techniques and sub-techniques, most SOC teams report reviewing and retuning correlation rules on a monthly or quarterly cycle just to keep pace with new adversary tradecraft and avoid the rule silently going blind.

How much does a SIEM cost, and who are the major vendors?

SIEM pricing ranges from a few thousand dollars a year for a self-hosted open-source deployment to seven figures annually for enterprise environments ingesting terabytes of logs daily, with Splunk, Microsoft Sentinel, IBM QRadar, Exabeam, and Elastic Security named as Leaders or Visionaries in Gartner's 2023 SIEM Magic Quadrant. Microsoft Sentinel's pay-as-you-go tier bills roughly $2.46 per GB ingested in the East US region (2024 published rate), on top of the underlying Azure Log Analytics workspace charges, while committed-tier pricing can reduce that per-GB rate by 30-60% for customers who commit to a fixed daily ingest volume. Open-source alternatives like Wazuh or the Elastic Stack's free tier eliminate licensing fees entirely but shift the cost into engineering time for deployment, parser maintenance, and scaling -- a tradeoff that has kept commercial SIEM revenue growing even as free options mature.

Where does SIEM fit into a software supply chain security program?

SIEM sits downstream of build and deploy events, correlating runtime and infrastructure logs so security teams can detect exploitation of vulnerabilities that are already present in shipped code and dependencies -- but it has no native way to tell you which of the 40,000+ CVEs published to the NVD in 2024 are actually reachable in your running application. This is the gap supply chain security tools are built to fill: software composition analysis (SCA) and SBOM generation give a SIEM the asset inventory context it lacks on its own, so an alert on outbound traffic to a known-malicious IP can be correlated against exactly which service and package version was running at that moment. The Log4Shell disclosure in December 2021 is the canonical example: a well-tuned SIEM could detect anomalous JNDI lookup traffic in application logs, but only for teams that already knew to write that detection rule and knew which of their services embedded the vulnerable log4j-core class in the first place -- reachability context that most SIEMs simply don't have.

How Safeguard Helps

Safeguard closes the gap between "what happened at runtime" and "what shipped in your code" that a log-only SIEM can't see on its own. Safeguard's reachability analysis traces every disclosed CVE against your actual call graph, so instead of forwarding thousands of raw dependency alerts into your SIEM's ingest pipeline, only vulnerabilities with a confirmed exploitable path generate a signal worth correlating. Griffin AI, Safeguard's detection engine, layers that reachability context on top of commit history and package metadata to decide which findings deserve escalation to your SIEM or on-call rotation in the first place, cutting the false-positive volume analysts have to triage. Safeguard also generates and ingests SBOMs (CycloneDX and SPDX) on every build, giving your SIEM and CMDB a live, versioned record of what's actually running instead of a stale quarterly export. When a reachable vulnerability is confirmed, Safeguard opens an auto-fix pull request with the minimal version bump required to remediate it, so the mean-time-to-remediate metric on your SOC dashboard trends down instead of accumulating into next quarter's backlog.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.