Security Information And Event Management (SIEM)
SEMs are a relatively new idea, pioneered in 1999
by a small company called E-Security, and in 2010 are still evolving rapidly.
Just a year or two ago they were called security
information managers (SIMs) and are also called security information and event managers (SIEMs). An adjacent, but
somewhat different market also exists for Log Management; although these two
fields are closely related, Log Management typically focuses on collection and
storage of data whereas SEM focuses on data analysis. Some vendors specialize
in one market or the other and some do both, or have complementary products.
Many systems and applications which run on a
computer network generate events which are kept in event logs. These logs are
essentially lists of activities that occurred, with records of new events being
appended to the end of the logs as they occur. Protocols,
such as Syslog and SNMP,
can be used to transport these events, as they occur, to logging software that
is not on the same host on which the events are generated. The better SEMs
provide a flexible array of supported communication protocols to allow for the
broadest range of event collection.
It is beneficial to send all events to a
centralized SEM system for the following reasons:
- Access to all logs can be provided through a
consistent central interface
- The SEM can provide secure, forensically sound
storage and archival of event logs (this is also a classic Log Management
function)
- Powerful reporting tools can be run on the SEM
to mine the logs for useful information
- Events can be parsed as they hit the SEM for
significance, and alerts and notifications can be immediately sent out to
interested parties as warranted
- Related events which occur on multiple systems
can be detected which would be impossible to detect if each system had a
separate log
- Events which are sent from a system to a SEM
remain on the SEM even if the sending system fails or the logs on it are
accidentally or intentionally erased
No comments:
Post a Comment