SIEM

Security Information Event Management is normally termed as SIEM and is usually a selection of two solutions, Security Information Management (SIM) and Security Event Management (SEM).

Security Information Management is normally sometimes referred to as Log Management, with Security Event Management often referred to as the Correlation Engine part of SIEM.

The Log Management layer should be able to collect audit logs in large quantities, while the Correlation Engine should be able to analysis the accounting and auditing logs, discovering significant behaviours and flagging them for assessment via alerts.

It is unusual, however, not exceptional for vendors to merely provide one of the solutions, either SIM or SEM, for the industry, as an example, Splunk and LogLogic are known as having robust SIM functionality but poor SEM capabilities and NetiQ and RSA have strong SEM capabilities but weak SIM capability. Every one of security vendors added in extra capabilities so that they can address their weak spot. It will be worthwhile picking a product that includes potent abilities spanning both SIM and SEM, for instance Tripwire, Nitro (now McAfee) or Q1 Labs (now IBM).

The challenge with any SIEM solution is that it will capture audit logs from throughout the enterprise, millions of them! For everybody who is amassing these audit logs, you are likely to need to have a look at them, that is certainly where the problem lies.

It is obvious event log analysis boosts your risk profile. In fact the Data Breach Report from Verizon clearly suggests in over 90% of the instances they researched over the last 5 years, proof of your breach is in the log data file. If somebody was conducting a extensive research into the audit logs during the time of the violation the breach would have been identified and might have been completely shut down.

The problem is that to conduct the desired level of assessment mandates dealing with millions or billions of accounting and auditing logs. You could endeavor to perform this manually, in reality that will be your only option if you have gone for a SIM only solution, however a much better choice is to use the intelligence of your SEM solution to examine questionable behaviors.

The key term here is "behaviours", it is generally unproductive for you to search for a single event, such as a new user created, as in large enterprises this event can be quite widespread. However if you could look for a mixture of events, for example a new user created, outside business hours, coming from a non authorised IP number, added to a privilege group, such as Administrators, this would be a behaviour you will be concerned with and really should react to.

It is therefore essential that any SIEM solution your are looking for possesses the capacity to identify "behaviours", rather than singular events and just as essential that creating the behavioural rules is straightforward and intuitive, not demanding vendor support to accomplish this, as your team shall be building a variety of them on an continuing basis.

Once behaviors of interest have been discovered somebody will need to respond. In large enterprises this might be a dedicated Security Operations Centre (SOC) or a Network Operations Centre (NOC), in smaller sized enterprises it is likely to be platform owners.

Standards such as PCI DSS, ISO27001 and GPG 13 require SIEM to meet your compliance obligations.