Device Recognition Technology for SIEM: What’s Its Role?


When IT security is breached, time is of the essence. Security Information and Event Management (SIEM) tools shine in such scenarios, because they alert organizations to potential security threats and system vulnerabilities in time to prevent a serious problem. In fact, these tools have been adopted by more than half of organizations, with another 21% planning to implement a SIEM solution this year. 

But according to ICD’s EDR and XDR 2020 Survey, 17% of alerts aren’t investigated despite hundreds of hours – and dollars – being sunk into event detection and response. There are just too many alerts to handle these days – and SIEM tools are only effective if they have access to a comprehensive and accurate set of technology asset data – information about the infrastructure they aim to protect. 

Let’s take a closer look at SIEM tools, including what they are and how they work, and how Lansweeper’s IT asset discovery capabilities boost their effectiveness and enable teams to investigate and resolve more incidents, faster.

What is SIEM and How Does it Work?

Let’s begin with the basics. SIEM combines security information management (SIM) and security event management (SEM) with real-time analysis capabilities, helping teams to surface anomalous user behavior. They apply AI and machine learning to automate traditionally manual tasks associated with threat detection and response, and alert users to potential threats.

SIEM tools work by capturing event data from various sources across an organization’s network, – both physical and virtual – and analyzing it in real-time. They consolidate this information into a single pane of glass, simplifying management and making it easier to detect and respond to threats or network issues. SIEM tools can be integrated with third-party threat intelligence tools, as well, so that known threat patterns and signatures can be used to enhance data analysis. They can spot and alert on any anomalies in real-time to initiate a rapid response.

But a SIEM tool is only as good as the data that feeds it, and unfortunately, enriching SIEM alerts is usually a slow, manual and tedious process. The data to which they have access may be extremely limited – a MAC or IP address, for example – and determining which devices are impacted by a threat, as well as their location and users, requires a lot of phone calls, emails and face-to-face conversations.  As more alerts come in, teams scramble to investigate them and find the data they need – and often, it’s too late by the time they do. Although they wisely focus on high-priority events, failing to investigate all events increases risk and could potentially expose the organization to a serious threat.

Lansweeper and SIEM: A Dynamic Duo

Lansweeper makes it easy for SIEM tools to access all the data they need to investigate and analyze any potential event or incident, quickly and efficiently. Popular SIEM vendors such as such as IBM, Splunk and others have embedded Lansweeper into their tools, so they can leverage Lansweeper’s deep scanning engine and credential-free device recognition (CDR) technology to surface contextual data about all connected hardware and software assets across the technology estate. 

Lansweeper continuously scans the network to detect every connected asset – even shadow IT and rogue devices that only touch the network briefly – creating a complete and extensive dataset. It gathers granular data about installed software, users, location and more. Using the IP/MAC address of a device, SIEM tools can fetch this Lansweeper enrichment data and populate alerts in real time, so security analysts can access IT asset data right within the SIEM tool – and stop chasing down data manually. This drastically reduces the time it takes to isolate and address security incidents, while providing the information teams need to take the next right action. 

For more information, check out Lansweeper’s SIEM use case. Interested in embedding Lansweeper into your SIEM tool? Learn more here.