SIEM
Security Information and Event Management (SIEM) is a central platform that collects, normalises and correlates security-relevant log data from IT systems in real time in order to detect threats and security incidents at an early stage.
Security Information and Event Management (SIEM) refers to a technical solution that aggregates log and event data from heterogeneous sources such as servers, endpoints, firewalls, network components, applications and cloud services in a single location. The raw data is normalised, enriched and evaluated through correlation rules and increasingly through behaviour-based analytics. This makes it possible to identify patterns that would appear inconspicuous in any individual source but, viewed as a whole, point to an attack or a misconfiguration.
A SIEM combines two historically separate disciplines: Security Information Management (long-term storage, analysis and reporting of log data) and Security Event Management (real-time monitoring, correlation and alerting). It thereby supports core information security requirements under ISO/IEC 27001 as well as the German BSI IT-Grundschutz framework, in particular logging, continuous monitoring and the detection of security incidents. In practice, a SIEM often forms the technical heart of a Security Operations Center (SOC) and provides the data foundation for incident response.
With the entry into force of the NIS2 Directive, SIEM has gained considerable importance: essential and important entities must be able to demonstrate technical and organisational measures for detecting and handling security incidents and for meeting the short reporting deadlines. A SIEM delivers the necessary transparency, audit-proof logging and analytical capability for this purpose. At the same time, its operation must comply with the data protection requirements of the GDPR, as log data regularly contains personal data and principles such as purpose limitation, storage limitation and co-determination rights must be observed.
Legal Basis
NIS2 Directive (EU) 2022/2555 in conjunction with the German NIS2 implementation act; ISO/IEC 27001:2022 (in particular A.8.15 Logging, A.8.16 Monitoring activities); BSI IT-Grundschutz (modules OPS.1.1.5 Logging, DER.1 Detection of security-relevant events); Art. 5 and Art. 32 GDPR
Practical Example
A mid-sized energy supplier qualifies as an essential entity under the NIS2 obligations. The information security officer introduces a SIEM that consolidates logs from Active Directory, VPN gateways, firewalls and the control systems. When a compromised service account generates an unusually high number of login attempts at night from an unfamiliar network segment, a correlation rule automatically triggers an alert. The SOC isolates the account within minutes, documents the incident in an audit-proof manner and is able to submit the statutory initial report to the BSI within the 24-hour deadline.