SIEM software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications.
Vendors sell SIEM as software, as appliances or as managed services; these products are also used to log security data and generate reports for compliance purposes.
Although the industry has settled on the term ‘SIEM’ as the catch-all term for
this type of security software, it evolved from several different (but complementary)
technologies that came before it.
Few other terms to know;
• LMS“Log Management System” – a system that collects and stores log files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually.
• SLM /SEM “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others.
• SIM “Security Information Management” – an Asset Management system, but with features to join security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved.
• SEC “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a particular sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen.
• SIEM “Security Information and Event Management” – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, it became the generalized term for managing information generated from security controls and infrastructure. We’ll use the term SIEM for the rest of this presentation.
- Data aggregation: Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
- Correlation: looks for common attributes and links events together into meaningful bundles. This technology provides the ability to do a variety of correlation techniques to integrate different sources, to turn data into useful information. Correlation is typically a function of the Security Event Management part of a full SIEM solution
- Alerting: the automated analysis of correlated events and production of alerts, to tell recipients of immediate issues. Alerting can be to a dashboard or sent via third-party channels such as email.
- Dashboards: Tools can take event data and turn it into informational charts to aid in seeing patterns, or identifying activity that is not forming a standard pattern.
- Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance, and auditing processes.
- Retention: employing long-term storage of historical data to facilitate the correlation of data over time, and to provide the retention necessary for compliance requirements. Long-term log data retention is critical in forensic investigations as it is unlikely that the discovery of a network breach will be at the time of the breach occurring.
- Forensic analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.