Motivated by the sudden growth of interest in Security Information and Event Management (SIEM)
mechanisms worldwide, companies that develop cybersecurity products started building their own SIEM
solutions as soon as possible. Due to market share competition, each of these companies developed
their own proprietary security rules formats and built their analysis engines to work best with these
specific formats.
Soon enough, the lack of interoperability between different products that lived in the SIEM spectrum
became a problem. This gave birth to the creation of Sigma, a generic and open signature format that
provides the creation of security-oriented rules that describe an anomaly with a simple and
straightforward manner. The format of Sigma language is very flexible and versatile. It supports almost
all the existing log formats. It is created considering the fact that every organization may have different
and unique needs or requirements from their cybersecurity product solution.
By using the Sigma rules language, a security analyst can create rules that can be utilised by any SIEM
product and share them with ease. Moreover, Sigma created new opportunities regarding the
development of security in Computer Science. New products can be created that specifically focus on
Sigma language and the analysis of organisations based on their human treats and standard workflow.
In conclusion, Sigma rules language provides ease of knowledge sharing and allows for different SIEM
platforms to collaborate. This is very important for the continuation of their development and the
improvement of the SIEM products in general. A common result of the existence of an open standard
format like Sigma is also the flourishing of the market competition around it, thus making Sigma
products cheaper and/or of improved quality. Sigma is here to stay, and is located in the centre of
attention in the world of SIEM development.
Kyriakos Stavridis
InnoSec, Greece
