SIEM (Security Information and Event Management)
In 2017, SIEM is seen as a necessary part of any significant enterprise security effort, but choosing the right SIEM solution for your organization isn’t easy. SIEM has a reputation as a complex and convoluted product, and implementation is a daunting process that can take weeks or even months to complete. Rush that process and you could end up with massive cost overruns or worse, an expensive, failed deployment.
To complicate things further, SIEM is a mature market full of vendors capable of meeting the basic log management, compliance, and event monitoring requirements of a typical customer, but whose points of differentiation may not be obvious to the untrained eye. However, as similar as they may seem, many SIEM solutions are optimized for drastically different use-cases, and one size almost never fits all.
Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security.
The underlying principle of a SIEM system is that relevant data about an enterprise’s security is produced in multiple locations and being able to look at all the data from a single point of view makes it easier to spot trends and see patterns that are out of the ordinary. SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system.
A SEM system centralizes the storage and interpretation of logs and allows near real-time analysis which enables security personnel to take defensive actions more quickly. A SIM system collects data into a central repository for trend analysis and provides automated reporting for compliance and centralized reporting. By bringing these two functions together, SIEM systems provide quicker identification, analysis and recovery of security events. They also allow compliance managers to confirm they are fulfilling an organization’s legal compliance requirements.
A SIEM system collects logs and other security-related documentation for analysis. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment — and even specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console, which performs inspections and flags anomalies. To allow the system to identify anomalous events, it’s important that the SIEM administrator first creates a profile of the system under normal event conditions.
At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralized management node. In this way, the volume of information being communicated and stored can be reduced.