Security Information And Event Management (SIEM)

Security Information And Event Management (SIEM)

 

The term Security Information Event Management {SIEM} describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. SIEM systems are typically expensive to deploy and complex to operate and manage. While Payment Card Industry Data Security Standard (PCI DSS) compliance has traditionally driven SIEM adoption in large enterprises, concerns over advanced persistent threats (APTs) have led smaller organizations to look at the benefits a SIEM managed security service provider (MSSP) can offer. The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM). As with many meanings and definitions of capabilities evolving requirements continually shape derivatives of SIEM product categories. The need for voice centric visibility or vSIEM (voice security information and event management) is a recent example of this evolution.

SEMs are a relatively new idea, pioneered in 1999 by a small company called E-Security, and in 2010 are still evolving rapidly. Just a year or two ago they were called security information managers (SIMs) and are also called security information and event  managers (SIEMs). An adjacent, but somewhat different market also exists for Log Management; although these two fields are closely related, Log Management typically focuses on collection and storage of data whereas SEM focuses on data analysis. Some vendors specialize in one market or the other and some do both, or have complementary products.

Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols, such as Syslog and SNMP, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated. The better SEMs provide a flexible array of supported communication protocols to allow for the broadest range of event collection.

It is beneficial to send all events to a centralized SEM system for the following reasons:

• Access to all logs can be provided through a consistent central interface
• The SEM can provide secure, forensically sound storage and archival of event logs (this is also a classic Log Management function)
• Powerful reporting tools can be run on the SEM to mine the logs for useful information
• Events can be parsed as they hit the SEM for significance, and alerts and notifications can be immediately sent out to interested parties as warranted
• Related events which occur on multiple systems can be detected which would be impossible to detect if each system had a separate log
• Events which are sent from a system to a SEM remain on the SEM even if the sending system fails or the logs on it are accidentally or intentionally erased