쥐스킨트의 작은 서재

Security information and event management

In the field of computer security, securityinformation and event management (SIEM) software products and services combinesecurity information management (SIM) and security event management (SEM). Theyprovide real-time analysis of security alerts generated by network hardware andapplications.

Vendors sell SIEM as software, asappliances or as managed services; these products are also used to log securitydata and generate reports for compliance purposes.

The acronyms SEM, SIM and SIEM have beensometimes used interchangeably. The segment of security management that dealswith real-time monitoring, correlation of events, notifications and consoleviews is commonly known as security event management (SEM). The second areaprovides long-term storage as well as analysis and reporting of log data, andis known as security information management (SIM). As with many meanings anddefinitions of capabilities, evolving requirements continually shapederivatives of SIEM product-categories. The need for voice-centric visibilityor vSIEM (voice security information and event management) provides a recentexample of this evolution.

The term security information event management(SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005,

-      The product capabilities ofgathering, analyzing and presenting information from network and securitydevices

-      Identity and access-managementapplications

-      Vulnerability management andpolicy-compliance tools

-      Operating-system, database andapplication logs

-      External threat data

A key focus is to monitor and help manageuser and service privileges, directory services and other system-configurationchange; as well as providing log auditing and review and incident response.

Capabilities

-      Data aggregation: Log managementaggregates data from many sources, including network, security, server,databases, applications, providing the ability to consolidate monitored data tohelp avoid missing crucial events

-      Correlation: looks for common attributes,and links events together into meaningful bundles. This technology provides theability to perform a variety of correlation techniques to integrate differentsources, in order to turn data into useful information. Correlation istypically a function of the Security Event Management portion of a full SEIMsolution

-      Altering: the automated analysis ofcorrelated events and production of alerts, to notify recipients of immediateissues. Alerting can be to a dashboard, or sent via third party channels suchas email.

-      Dashboards: tools can take event dataand turn it into information charts to assist in seeing patterns, oridentifying activity that is not forming a standard pattern.

-      Compliance: applications can be employedto automate the gathering of compliance data, producing reports that adapt to existingsecurity, governance and auditing processes.

-      Retention: employing long-term storageof historical data to facilitate correlation of data over time, and to providethe retention necessary for compliance requirements. Long term log dataretention is critical in forensic investigations as it is unlikely thatdiscovery of a network breach will be at the time of the breach occurring.

-      Forensic analysis: the ability to searchacross logs on different nodes and time periods based on specific criteria.This  mitigates having to aggregate loginformation in your head or having to search through thousands and thousands oflogs.

From: https://en.wikipedia.org/wiki/Security_information_and_event_management