member sign-in
Forgot password? Create new account Close

Security Event Management / Logging

Definition

Security Information and Event Management(SIEM) solutions are a combination of the formerly disparate product categories of:

- SEM (security event management) analyzes security event data in real time (for threat management, primarily in network events)

- SIM (security information management) analyzes and reports on log data (for privileged user and

resource access monitoring and compliance reporting, primarily in host and application events)

A SIEM solution provides the possibility of addressing both internal and external threat management by collecting data (logs) about the security level of all critical components within a network and turning that data into useful information within a single interface, while producing undeniable benefits – the ability to react in real time to threats and to meet compliance  mandates.

 

User Benefits

A SIEM solution offers the possibility of real-time monitoring, providing better visibility over security risks through fast detection of internal and external attacks. SIEM takes over the work of tens of people adding on top of it the correlation of seemingly unrelated events.

 

Business Impact

By implementing such a solution, the whole process starting from collecting data to sending out the reports becomes easier, much faster and much more exact, offering a precise and easy to interpret image about the level of security within an organization.

Using a SIEM solution the incident response time drops from few weeks or even months to a few minutes, by switching to an automatic strategy of incident response.


Products supporting this technology

McAfee Micro Focus Splunk

Keeping your organization safe and secure can be a daunting task. Bots, worms, and hackers threaten it from the outside while data breaches, theft, and fraud threaten it from the inside. A bad economy only magnifies the problems. At the same time, increasing regulations and fines highlight the risk of failure in preventing these threats.

It’s never been more challenging to protect your business. As a result, the value of automated security and compliance monitoring has never been higher.

Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event management), adressing both internal and external threat management.

The capabilities of gathering, analyzing and presenting information from network and security devices, identity and access management applications, vulnerability management and policy compliance tools, operating system, database and application logs, and external threat data define the SIEM technology. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes, as well as providing log auditing and review and incident response.

SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.

It is beneficial to send all events to a centralized SIEM system for the following reasons:

  • Access to all logs can be provided through a consistent central interface
  • The SIEM can provide secure, forensically sound storage and archival of event logs (this is also a classic Log Management function)
  • Powerful reporting tools can be run on the SIEM to mine the logs for useful information
  • Events can be parsed as they hit the SEM for significance, and alerts and notifications can be immediately sent out to interested parties as warranted
  • Related events which occur on multiple systems can be detected which would be impossible to detect if each system had a separate log
  • Address regulatory requirements like PCI DSS, ISO 27002, PCI DSS, HIPAA, Sarbanes-Oxley and so on

 

No matter how good an individual device, if not monitored and correlated, each device can be bypassed individually, and the total security capabilities of a system will not exceed its weakest link. When monitored as a whole, with cross device correlation, each device will signal an alert as it is attacked raising awareness and threat indications at each point allowing for additional defenses to be brought into play, and incident response proportional to the total threat.

 

IT infrastructure, particularly security systems, produce vast quantities of logging information of varying quality. Although there is some consensus among groups of vendors for specific applications (e.g. Web Servers software) most logs do not conform to any common format, and frequently do not even record the same basic information about what the system in question is doing.

The most compelling reason for a SIEM tool from an operational perspective is to reduce the number of security events on any given day to a manageable, actionable list, and to automate analysis such that real attacks and intruders can be discerned.

 

A good SIEM tool can provide the analytics and knowledge of a good security engineer while being automated and repeated against a mountain of events from a range of devices. Instead of 1,000 events (or less) per day, an engineer with a SIEM tool can handle 1,000,000 events per day (or more). And a SIEM doesn’t leave at night, find another job, or take vacations...

  • manufacturer