Security information and event management: Difference between revisions
mNo edit summary Tag: references removed |
JLRedperson (talk | contribs) m Undid revision 429812003 by Lucas.samaras (talk)--cannot link out to a public Web site from the body of a Wikipedia article; reverted back to reference |
||
Line 6: | Line 6: | ||
The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005,<ref>[http://techbuddha.wordpress.com/2007/01/01/the-future-of-siem-%E2%80%93-the-market-will-begin-to-diverge/ The Future of SIEM - The market will begin to diverge]</ref> describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; [[vulnerability (computing)|vulnerability]] management and policy compliance tools; operating system, database and application logs; and external [[threat (computer)|threat]] data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.<ref name="r1"/> |
The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005,<ref>[http://techbuddha.wordpress.com/2007/01/01/the-future-of-siem-%E2%80%93-the-market-will-begin-to-diverge/ The Future of SIEM - The market will begin to diverge]</ref> describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; [[vulnerability (computing)|vulnerability]] management and policy compliance tools; operating system, database and application logs; and external [[threat (computer)|threat]] data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.<ref name="r1"/> |
||
Commercial SIEM products include [[Accelops|AccelOps]], [[ArcSight]] (now a part of [[Hewlett Packard]] within the [[HP Software Division]]), BLUESOC, [[Cisco Security Monitoring, Analysis, and Response System|Cisco Security MARS]], ImmuneSecurity, LogLogic and [[SenSage]]. As of May 2011, [https://mosaicsecurity.com/categories/85-log-management-security-information-and-event-management Mosaic Security Research] identified 98 unique SIEM products. |
Commercial SIEM products include [[Accelops|AccelOps]], [[ArcSight]] (now a part of [[Hewlett Packard]] within the [[HP Software Division]]), BLUESOC, [[Cisco Security Monitoring, Analysis, and Response System|Cisco Security MARS]], ImmuneSecurity, LogLogic and [[SenSage]]. As of May 2011, <ref>[https://mosaicsecurity.com/categories/85-log-management-security-information-and-event-management Mosaic Security Research]</ref> identified 98 unique SIEM products. |
||
== SIEM Capabilities == |
== SIEM Capabilities == |
||
* '''Data Aggregation:''' SIEM/LM (log management) solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events. |
* '''Data Aggregation:''' SIEM/LM (log management) solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events. |
Revision as of 01:37, 19 May 2011
Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event management). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.[1]
The acronyms SEM, SIM and SIEM have been used interchangeably, though there are differences in meaning and product capabilities. The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM).[2]
The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005,[3] describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.[2]
Commercial SIEM products include AccelOps, ArcSight (now a part of Hewlett Packard within the HP Software Division), BLUESOC, Cisco Security MARS, ImmuneSecurity, LogLogic and SenSage. As of May 2011, [4] identified 98 unique SIEM products.
SIEM Capabilities
- Data Aggregation: SIEM/LM (log management) solutions aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
- Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information.
- Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues.
- Dashboards: SIEM/LM tools take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.[5]
- Compliance: SIEM applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.[6]
- Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements.
See also
- IT risk
- Security event manager
- Security information management
- Comparison of network monitoring systems
References
- ^ SIEM: A Market Snapshot
- ^ a b The difference between SEM, SIM and SIEM
- ^ The Future of SIEM - The market will begin to diverge
- ^ Mosaic Security Research
- ^ Understanding and Selecting SIEM/LM: Use Cases
- ^ Compliance Management and Compliance Automation – How and How Efficient, Part 1 Understanding and Selecting SIEM/LM: Use Cases