The security market has undergone significant evolution within the past several years, resulting in a wide range of software, devices and management strategies. As the need to centralize becomes increasingly apparent, however, confusion over different product categories has made it difficult to define requirements.
One important element of confusion is in definitions. The acronyms SEM, SIM and SIEM have been used almost interchangeably; yet, there are differences in meaning and the capabilities of products in each classification. One segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as Security Event Management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as Security Information Management (SIM).
SEM provides real-time monitoring and event management to support IT security operations. SEM requires several capabilities: event and data collection, aggregation and correlation in near real time; a dynamic monitoring/security event console for viewing and managing events; and automated response generation for security events.
SIM delivers more historical analysis and reporting for security event data. This requires event and data collection/correlation (but not in real time), an indexed repository for log data and flexible query and reporting capabilities. When SEM and SIM are combined, they become Security Information and Event Management (SIEM).
There are common capabilities shared between SIM and SEM, among them workflow, asset weighting and reporting. To integrate the two there needs to be central management within an overarching solution. Security events gathered from hundreds or thousands of sources need to be filtered to reduce the effort required to manage and prioritize response activities. The analysis and queries must be flexible in order to allow for meaningful query response and views that make the most sense for performing security investigations.
Most products in the security management market have generally tended to fall within either the SIM or SEM areas—though some have claimed to provide both. In order to evaluate the effectiveness of a SIEM product, you must first gain an understanding of what a true SIEM implementation looks like.
SIEM product capabilities include gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. A key focus is to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.
Event correlation is a defining characteristic of SIEM technology. Correlation establishes relationships between log entries or events that are generated by devices, systems or applications based on characteristics such as the source, target, protocol or event type. A major benefit of correlation is that it filters out duplicate and redundant data in order to reduce event noise and allow administrators to address high priority issues immediately with the right information to make informed remediation decisions.
Products either provide rule-based or statistical correlation (for the “low and slow” threats not detected by predefined rules). Rule-based correlation was the method first to market and is the more prevalent approach today. It supports the creation of site- or situation-specific correlation rules. These rules establish the pattern of events, including which events occurred in what time period, in which order and on which systems. They are delivered out-of-the-box by vendors, with some offering the flexibility to modify existing rules or create new ones. Product scalability and deployment flexibility derive from vendor design decisions in the areas of product architecture, data collection techniques, agent design and coding practices.While the security market has been growing for some time and most corporations have already installed a wide array of security products, early generation security management products do not satisfactorily meet new requirements, such as capturing log information, storing audit results for periods of months or years and performing forensic analysis. Many companies have already made investments in these focused security event monitoring products. With tightening budgets, it is important to ensure that the products already in place can continue to serve their function, with their value actually improved through provision of a next generation management scheme.