Security Information Event Management is normally referred to as SIEM and is typically a collection of two technologies, Security Information Management (SIM) and Security Event Management (SEM).
Security Information Management is also referred to as Log Management
Security Information Management is also often referred to as Log Management, with Security Event Management often referred to as the Correlation Engine portion of SIEM.
The Log Management layer should be able to collect accounting and audit logs at large volumes, where as the Correlation Engine should be able to analysis the logs, picking out important behaviours and flagging them for review via alerts.
It is unusual, but not unheard of for vendors to only provide one of the solutions, either SIM or SEM, to the market, for example, Splunk and LogLogic are known as having strong SIM capability but poor SEM capability and Arcsight and RSA have strong SEM capability but poor SIM capability. All these vendors added extra capabilities in an attempt to address their weakness. It might be worth going for a product that has strong capabilities across both SIM and SEM, sign-up for our Webcast (below) for some recommendations from independent experts..
Tip #1 – Ask your potential vendor if they are a SIM, SEM or SIEM solution, you most likely want a full SIEM solution even if you end up using one part more than the other.
The problem with any SIEM solution is that it will collect logs from across the enterprise, millions of them! If you are collecting these logs, you are likely to want to look at them, and that is where the problem lies.
Data Breach Report from Verizon
There is no doubt log analysis improves your risk profile. In fact the Data Breach Report from Verizon clearly states that in over 90% of the cases they investigated over the last five years, evidence of your breach was in the log file. If someone was conducting a thorough analysis of the logs at the time of the breach the breach would have been detected and could have been shut down.
The problem is that to conduct the required level of analysis requires going through millions or billions of logs. You could attempt to do this manually, in fact that might be your only option if you have gone for a SIM only solution, but a better option is to utilise the intelligence of your SEM solution to look for suspicious behaviours.
The key word here is “behaviours”, it is mostly useless to be able to look for a single event, for example a new user created, as in large organisations this event is very common. However if you can look for a combination of events, for example a new user created, outside of business hours, from a non approved IP number, added to a privilege group, such as Domain Administrators, this would be a behaviour you are concerned about and should respond to.
Tip #2 – Ask your potential vendor if it is easy and intuitive for your personnel to create new behaviour rules, often referred to as Correlation rules
It is therefore critical that any SIEM solution your are looking for has the capability to find “behaviours”, rather than single events and just as important that creating the behavioural rules is easy and intuitive, not requiring vendor support to do so, as your team will be creating a number of them on an ongoing basis.
Once behaviours of concern have been identified someone will need to respond to them. In large enterprises this might be a dedicated Security Operations Centre (SOC) or a Network Operations Centre (NOC), in smaller enterprises it is likely to be platform owners.
Leave a comment