ORSYS le mag 2025 logo

The training and skills medium

Home > Cybersecurity glossary > SIEM 🟢 Protection

SIEM 🟢 Protection

A SIEM (Security Information and Event Management), is a cybersecurity software solution who acts as the brains behind an organisation's security.

It collects, standardises and analyses safety data from a variety of sources (event logs, security alertsnetwork data flows, etc.). to detect threats and security incidents in real time.

 

SIEM illustration

Illustration SIEM ©ORSYS/Alexandre SALQUE

🎯 SIEM objectives

  1. Threat detection : identify suspicious behaviour (attacks, intrusions, anomalies) using correlation rules, machine learning algorithms and artificial intelligence.
  2. Event correlation : link isolated, seemingly unrelated events to identify complex and sophisticated attack patterns.
  3. Regulatory compliance : generate customisable reports to meet the requirements of standards such as RGPD, ISO 27001PCI-DSS, HIPAA, etc.
  4. Incident response : provide real-time alerts to enable security teams to respond quickly and effectively to incidents.
  5. Analysis forensics : trace post-incident activities by exploiting historical logs to understand the extent of the attack, identify the vulnerabilities and improve safety.

👉 Types of SIEM

  1. On-Premises : deployed locally on the organisation's premises (e.g. IBM QRadar, Splunk). Offers total control, but requires significant maintenance.
  2. Cloud (SaaS) : Hosted and managed by a cloud service provider (e.g. Microsoft Sentinel, Sumo Logic). More flexible and scalable, but can raise security and compliance issues.
  3. Hybrid : combines cloud and local infrastructure. Allows you to benefit from the advantages of both models.
  4. Open source : customisable solutions (e.g. Elastic SIEM, Wazuh). Require in-house technical expertise.
  5. Managed SIEM : outsourced to an MSSP (Managed Security Service Provider). Ideal for companies with limited resources.

How it works

  1. Collection : retrieves logs and events from all sources (firewallIDS/IPS, servers, applications, etc.).
  2. Standardisation : structures data in a common format to facilitate analysis and correlation.
  3. Analysis: applies rules, machine learning or AI to detect threats and anomalies.
  4. Correlation : identifies the links between events to reconstruct the sequence of attacks.
  5. Alert and response : notifies security teams and triggers automated actions (e.g. IP blocking, system isolation).
  6. Reporting : generates dashboards and reports for compliance, audit and trend analysis.

Benefits

  • Centralisation : unified view of security threats and events.
  • Proactive detection : reduction in response time (MTTD/MTTR) and minimisation of the impact of attacks.
  • Compliance : automation of regulatory reporting and simplification of audits.
  • Automation : integration with a SOAR (Security Orchestration, Automation, and Response) to automate incident response.
  • Scalability : suitable for large infrastructures and high data volumes

Disadvantages

  • Complexity : demanding configuration and maintenance, requiring safety expertise.
  • High costs : licences, log storage, expertise required, especially for on-premises solutions.
  • False positives : irrelevant alerts if the rules are poorly configured, which can overwhelm security teams.
  • Latency : processing times for very large volumes of data, which can have an impact on real-time detection.
  • Log dependency : requires full instrumentation of systems for optimum visibility.

💰 Costs

  • Licences : from a few thousand to hundreds of thousands of euros a year, depending on the size of the company and the features involved.
  • Infrastructure : dedicated servers, storage, bandwidth (cost varies according to volume of logs and type of deployment).
  • Maintenance : in-house or outsourced teams (MSSP).
  • Training: team certification (e.g. Splunk, ArcSight).

📈 Trends 2025

  1. IA/ML : improved threat detection zero-day and abnormal behaviour thanks to machine learning and artificial intelligence.
  2. SOAR-SIEM convergence : Increased automation of incident response thanks to close integration between SIEM and SOAR solutions.
  3. Cloud-based SIEM : massive adoption of SaaS solutions for greater flexibility, scalability and cost reduction.
  4. Zero Trust : integration with Zero Trust architectures to strengthen access and data security.
  5. XDR (Extended Detection and Response) : merging SIEM capabilities with solutions EDR (Endpoint Detection and Response) for comprehensive protection against threats.

Examples of SIEM solutions

  • Splunk Enterprise Security
  • Microsoft Sentinel
  • IBM QRadar
  • LogRhythm
  • Elastic SIEM
  • Fortinet FortiSIEM
  • Rapid7 InsightIDR
  • Exabeam

📊 Key figures (2023-2024)

World :

  • Global SIEM market : 6.4 billion in 2023, with a projection of $12.7 billion by 2028 (Source: Gartner).
  • Adoption of the SIEM : 60 % of companies use a SIEM to respond to attacks from ransomware (Source: Gartner).
  • Violation detection time : 207 days in average without SIEMagainst less than 50 days with a SIEM.

France :

  • 70 % of large French companies have deployed a SIEM (Source: ANSSI).
  • 45 % of SMEs use cloud-SIEM solutions (CESIN 2023 study).
  • Average cost of a data breach : 4.2 million (up 15% since 2022).
Back to Glossary

field of training

Cybersecurity

associated training

Systems and network security, level 1

Hacking and security, level 1

Information systems security, summary

BEST

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity