Security information and event management

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.[1]

The acronyms SEM, SIM and SIEM have been sometimes used interchangeably.[2] The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as security event management (SEM). The second area provides long-term storage as well as analysis and reporting of log data, and is known as security information management (SIM).[3] As with many meanings and definitions of capabilities evolving requirements continually shape derivatives of SIEM product categories. The need for voice centric visibility or vSIEM (voice security information and event management) is a recent example of this evolution.

The term security information event management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005,[4] describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.[3]

As of November 2014, Mosaic Security Research identified 73 SIEM and log management products.[5]

Capabilities[edit]

  • Data aggregation : Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
  • Correlation : looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution[6]
  • Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
  • Dashboards: Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.[7]
  • Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.[8]
  • Retention: employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.[9]
  • Forensic analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.[8]

Vendor products[edit]

[22]

See also[edit]

References[edit]

  1. ^ "SIEM: A Market Snapshot". Dr.Dobb's Journal. 5 February 2007. 
  2. ^ Swift, David (26 December 2006). "A Practical Application of SIM/SEM/SIEM, Automating Threat Identification" (PDF). SANS Institute. p. 3. Retrieved 14 May 2014. ...the acronym SIEM will be used generically to refer... 
  3. ^ a b Jamil, Amir (29 July 2009). "The difference between SEM, SIM and SIEM" (Blog). 
  4. ^ The Future of SIEM - The market will begin to diverge
  5. ^ Mosaic Security Research
  6. ^ Correlation
  7. ^ Understanding and Selecting SIEM/LM: Use Cases
  8. ^ a b Compliance Management and Compliance Automation – How and How Efficient, Part 1
  9. ^ http://www.verizonbusiness.com/about/events/2012dbir/ Data Breach Report
  10. ^ "Assuria Log Manager Overview". Assuria Ltd. Retrieved 24 March 2015. 
  11. ^ "CCTM - Awards - Assuria Log Manager Version 4". UK Government (Crown Copyright). 2011. Archived from the original on 4 December 2011. Retrieved 24 March 2015. 
  12. ^ LogRhythm Positioned as a Leader in Gartner’s 2014 SIEM Magic Quadrant
  13. ^ Info-Tech Research Group Designates LogRhythm a “Champion” in 2014-15 SIEM Vendor Landscape Report
  14. ^ LogRhythm Named Company of the Year for 2014
  15. ^ DCIG Ranks LogRhythm SIEM No.1 and “Best-in-Class” in SIEM Appliance Buyer’s Guide
  16. ^ Information Security Magazine and SearchSecurity.com Crown LogRhythm’s Solution as Best SIEM Security Product
  17. ^ LogRhythm Awarded 5 Stars in SC Mag. SIEM Group Test
  18. ^ Netwrix Auditor
  19. ^ Splunk Named Leader in Gartner SIEM MQ
  20. ^ Splunk Enterprise Selected Best SIEM Appliance in 2013 SC Awards
  21. ^ Splunk App for Enterprise Security
  22. ^ Hawk