Security information and event management (SIEM) is an
approach to security management that seeks to provide a holistic view of an
organization's information technology (IT) security. The acronym is pronounced
"sim" with a silent "e."
The underlying principle of a SIEM system is that relevant
data about an enterprise's security is produced in multiple locations and being
able to look at all the data from a single point of view makes it easier to
spot trends and see patterns that are out of the ordinary.
SIEM combines SIM (security information management) and SEM
(security event management) functions into one security management system. A
SEM system centralizes the storage and interpretation of logs and allows near
real-time analysis which enables security personnel to take defensive actions
more quickly. A SIM system collects data into a central repository for trend
analysis and provides automated reporting.
By bringing these two functions together, SIEM systems
provide quicker identification, analysis and recovery of security events. They
also allow compliance managers to confirm they are fulfilling an organization's
legal compliance requirements. SIEM systems collect logs and other
security-related documentation for analysis. Most SIEM systems work by deploying
multiple collection agents in a hierarchical manner to gather security-related
events from end-user devices, servers, network equipment -- and even
specialized security equipment like firewalls, antivirus or intrusion
prevention systems. The collectors forward events to a centralized management
console, which performs inspections and flags anomalies. To allow the system to
identify anomalous events, it’s important that the SIEM administrator first
creates a profile of the system under normal event conditions.
At the most basic level, a SIEM system can be rules-based or
employ a statistical correlation engine to establish relationships between
event log entries. In some systems, pre-processing may happen at edge
collectors, with only certain events being passed through to a centralized
management node. In this way, the volume of information being communicated and
stored can be reduced. The danger of this approach, however, is that relevant
events may be filtered out too soon.
SIEM systems are typically expensive to deploy and complex
to operate and manage. While Payment Card Industry Data Security Standard (PCI
DSS) compliance has traditionally driven SIEM adoption in large enterprises,
concerns over advanced persistent threats (APTs) have led smaller organizations
to look at the benefits a SIEM managed security service provider (MSSP) can
offer.
No comments:
Post a Comment