Security information and event management

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Security information and event management (SIEM) is a subsection within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes.[1]

The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.[2]


The acronyms SEM, SIM and SIEM have sometimes been used interchangeably,[3] but generally refer to the different primary focus of products:

  • Log management: Focus on simple collection and storage of log messages and audit trails[4]
  • Security information management (SIM): Long-term storage as well as analysis and reporting of log data.[5]
  • Security event manager (SEM): Real-time monitoring, correlation of events, notifications and console views.
  • Security information and event management (SIEM): Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.[1][6]
  • Managed Security Service: (MSS) or Managed Security Service Provider: (MSSP): The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.
  • Security as a service (SECaaS): These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.

In practice many products in this area will have a mix of these functions, so there will often be some overlap – and many commercial vendors also promote their own terminology.[7] Oftentimes commercial vendors provide different combinations of these functionalities which tend to improve SIEM overall. Log management alone doesn’t provide real-time insights on network security, SEM on its own won't provide complete data for deep threat analysis. When SEM and log management are combined, more information is available for SIEM to monitor.

A key focus is to monitor and help manage user and service privileges, directory services and other[clarification needed] system-configuration changes; as well as providing log auditing and review and incident response.[5]


  • Data aggregation: Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
  • Correlation: Looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution[8]
  • Alerting: The automated analysis of correlated events
  • Dashboards: Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
  • Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.[9]
  • Retention: Employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.[10]
  • Forensic analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.[9]

Use cases[edit]

Computer security researcher Chris Kubecka identified the following SIEM use cases, presented at the hacking conference 28C3 (Chaos Communication Congress).[11]

  • SIEM visibility and anomaly detection could help detect zero-days or polymorphic code. Primarily due to low rates of anti-virus detection against this type of rapidly changing malware.
  • Parsing, log normalization and categorization can occur automatically, regardless of the type of computer or network device, as long as it can send a log.
  • Visualization with a SIEM using security events and log failures can aid in pattern detection.
  • Protocol anomalies which can indicate a mis-configuration or a security issue can be identified with a SIEM using pattern detection, alerting, baseline and dashboards.
  • SIEMS can detect covert, malicious communications and encrypted channels.
  • Cyberwarfare can be detected by SIEMs with accuracy, discovering both attackers and victims.

Alerting examples[edit]

Some examples of customized rules to alert on event conditions involve user authentication rules, attacks detected and infections detected.[12]

Rule Goal Trigger Event Sources
Repeat Attack-Login Source Early warning for brute force attacks, password guessing, and misconfigured applications. Alert on 3 or more failed logins in 1 minute from a single host. Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications.
Repeat Attack-Firewall Early warning for scans, worm propagation, etc. Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute. Firewalls, Routers and Switches.
Repeat Attack-Network Intrusion Prevention System Early warning for scans, worm propagation, etc. Alert on 7 or more IDS Alerts from a single IP Address in one minute Network Intrusion Detection and Prevention Devices
Repeat Attack-Host Intrusion Prevention System Find hosts that may be infected or compromised
(exhibiting infection behaviors)
Alert on 3 or more events from a single IP Address in 10 minutes Host Intrusion Prevention System Alerts
Virus Detection/Removal Alert when a virus, spyware or other malware is detected on a host Alert when a single host sees an identifiable piece of malware Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
Virus or Spyware Detected but Failed to Clean Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed Alert when a single host fails to auto-clean malware within 1 hour of detection Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

See also[edit]


  1. ^ a b "SIEM: A Market Snapshot". Dr.Dobb's Journal. 5 February 2007.
  2. ^ Williams, Amrit (2005-05-02). "Improve IT Security With Vulnerability Management". Retrieved 2016-04-09. Security information and event management (SIEM)
  3. ^ Swift, John (26 December 2006). "A Practical Application of SIM/SEM/SIEM, Automating Threat Identification" (PDF). SANS Institute. p. 3. Retrieved 14 May 2014. ...the acronym SIEM will be used generically to refer...
  4. ^
  5. ^ a b Jamil, Amir (29 March 2010). "The difference between SEM, SIM and SIEM".
  6. ^ The Future of SIEM - The market will begin to diverge
  7. ^ Bhatt, S. (2014). "The Operational Role of Security Information and Event Management Systems". Privacy Security & Privacy, IEEE. 12: 35–41.
  8. ^ Correlation Archived 2014-10-19 at the Wayback Machine
  9. ^ a b "Compliance Management and Compliance Automation – How and How Efficient, Part 1". Archived from the original on 2011-07-23. Retrieved 2018-05-02.
  10. ^ "2018 Data Breach Investigations Report | Verizon Enterprise Solutions". Verizon Enterprise Solutions. Retrieved 2018-05-02.
  11. ^ "28c3: Security Log Visualization with a Correlation Engine". December 29, 2011. Retrieved November 4, 2017.
  12. ^ Swift, John (2010). "Successful SIEM and Log Management Strategies for Audit and Compliance". SANS Institute.