Security Information Event Management is normally known as SIEM which is traditionally a selection of two solutions, Security Information Management (SIM) and Security Event Management (SEM).
Security Information Management is often known as Log Management, with Security Event Management also known as the Correlation Engine area of SIEM.
The Log Management layer will be able to capture accounting and audit logs at large volumes, where as the Correlation Engine will be able to analysis the logs, selecting critical behaviors and flagging them for examination via alerts.
Its uncommon, although not unheard of for vendors to only provide just one of the solutions, either SIM or SEM, for the industry, by way of example, Splunk and LogLogic are known as having effective SIM capability but inadequate SEM functionality and NetiQ and RSA have strong SEM functionality yet inadequate SIM capability. Each one of these vendors added in further features in an effort to tackle their weakness. It usually is worthwhile getting a product which has robust capabilities across both SIM and SEM, for example Tripwire, Nitro (now McAfee) or Q1 Labs (now IBM).
The challenge with any SIEM solution is that it’s going to accumulate accounting and auditing logs from across the organization, an incredible number of them! If you find yourself gathering these audit logs, it’s likely you’ll need to look at them, and that is exactly where the difficulty lies.
There is no question log examination improves your organisations risk profile. In fact the Data Breach Report from Verizon suggests that in over 90% of the cases they reviewed over the past several years, proof of your breach is in the log data file. If someone was conducting a complete analysis of the accounting and auditing logs during the time of the violation the breach might have been identified and may have been completely stopped.
However , to conduct the essential level of investigation requires dealing with millions or billions of audit logs. You could attempt to do this manually, the reality is that could be your sole option if you have gone for a SIM only solution, however a much better choice is to utilise the intelligence of your SEM solution to examine questionable behaviors.
The key term here is “behaviours”, it is largely pointless to be able to look for a individual event, for instance a new user created, as in large organisations this event is extremely typical. If however you are able to locate a mixture of events, for example a new user created, outside working hours, originating from a non approved IP number, added to a sensitive group, such as Domain Administrators, this might be a behaviour you’re concerned about and really should react to.
Therefore, it’s fundamental that any SIEM solution you’re interested in has the capability to locate “behaviours”, as opposed to individual events and just as important that creating the behavioural rules is simple and user-friendly, not requiring vendor support to accomplish this, since your team are going to be constructing a quantity of them on an continuing basis.
Once behaviors of concern have been identified an individual will have to respond. In large enterprises this can be a dedicated Security Operations Centre (SOC) or a Network Operations Centre (NOC), in smaller enterprises it is likely to be platform owners.
securityevent 