What Exactly is SIEM and SIEM Integration?

Security Information and Event Management is a standardized way of collecting and aggregating security and event information. For Identity Cloud customers, SIEM works like this:

  1. Akamai constantly monitors the  SIEM event stream, looking for Identity Cloud-related activities such as logins, registrations, password changes, etc. Each time one of these events occurs (for example, each time a user successfully logs in) information about the event (who logged on, when they logged on, where they logged, etc.) is recorded.
  2. Event information is then forwarded to one of two places, in one of two ways. If an organization wants real-time delivery of events (that is, they want to know about each event as soon as it occurs), event information is forwarded to a webhook, then delivered to the organization. (Webhooks, also known as user-defined HTTP callbacks, provide a way for information to be delivered any time a specified event takes place.)

Alternatively, organizations can have event information delivered at regularly-scheduled intervals. For example, an organization might decide to receive SIEM events every 10 minutes. In that case, all the Akamai-related events that occur in the next 10 minutes are stored in an SFTP server queue. When the 10 minutes are up, those events are delivered, the queue is cleared, and SIEM Integration begins storing the next batch of events.

  1. Events are received by the customer. The exact mechanism for event receipt will vary depending on both the delivery method (webhook or batch) and on the organization’s SIEM software. Real-time event delivery (webhooks) usually involves an API server, a message queue, or an HTTP server. Batch delivery (scheduled delivery) typically relies on an SFTP server or a file receiver. Organizations will work with their Akamai representative to determine their optimal delivery method.
  2. Events are imported into your SIEM software and analyzed. Organizations use the data in the way that works best for them: for example, you determine the things you want to look for, you determine what does and does not represent anomalous behavior, and you determine what triggers an alert and what does not.

The entire process is summarized in the following diagram:

Keep in mind that Akamai does not provide tools for importing and analyzing SIEM events; for that, you will need third-party tool software as Splunk or QRadar. What Akamai provides is detailed information about activities such as logins, registrations, password or email changes, etc. For example, for each “traditional” login (i.e., a user logging on with a username and password) Akamai issues an event notification similar to this:

LEEF:2.0|Janrain|Janrain Identity Cloud|1.0|traditional_signin|sev=3 proto=HTTPS cat=identity url=https://myapp.janrain.com/oauth/auth_native_traditional src= devTime=Dec 29 2016 00:26:40 devTimeFormat=MMM dd yyyy HH:mm:ss usrName=2b565a0c-a863-11e7-abc4-cec278b6b50a role=user userAgent=Mozilla/5.0 (X11; Fedora; Linux x86_64) janrainApp=abc123abc123def456def456gh janrainClient=abc123abc123def456def456ghi789gh origin=https://ui.janrain.com forward_headers=[{'name': 'header_name', 'value': 'header_value'}]    

That file can then be imported into a SIEM analysis tool such as Splunk:

Akamai SIEM Integration supports two standard SIEM file formats: the Common Event Format (CEF) and the Log Event Extended Format (LEEF). Data can be retrieved in near real-time by using webhooks, or can be scheduled for regular deliveries using a secure FTP (SFTP) server. Depending on your needs and on your SIEM platform, Akamai SIEM integration can use various delivery mechanisms such as message queues, APIs, HTTP receivers, or file receivers.