As networks grow and become more complex, so too does the amount of data they produce. Everything, from switches to databases produces event logs. Part of operating a secure infrastructure is collecting, reviewing and managing the deluge of event data. Security Information Management (SIM) or Security Event Management (SEM) (or sometimes combined to SIEM) can provide automated methods to gather, normalize, store and analyze event and log data.
SIM provides an enterprise-wide security monitoring and administration solution that collects data on events, analyzes the data, and provides a suitable response to threats on enterprise assets. It is positioned as a security information management tool that can be used by an enterprise-class network management centers or managed security service providers with interest in protecting physical and/or logical assets.
A good SIEM deployment can offer many strong benefits:
- Event/log storage & archiving – A good SIM will provide a common platform for gathering, normalizing, and archiving logs and event data.
- Event aggregation and filtering – a SIM can help you locate the key events in a deluge of noise.
- Searching & analysis – SIM products automate searching and analyzing event data.
- Reporting – A SIM can help establish metrics for analyzing IT and security performance.
- Proactive alerting – SIM can provide real-time alerts regarding potentially dangerous activity.
- Incident response – A well managed SIM can provide valuable information to security analysts in the event of a security incident.
- Compliance – Many regulations require log and event management of some type. A SIM installation can help achieve compliance (it will not guarantee it.)
- Insight – Properly used, a SIM can give network a security staff insight into operations and help troubleshoot problems.
- Increased efficiency – A well implemented SIM can help maximize staff resources required to investigate and analyze security and network incidents.
Log Management vs SIEM
Log Management (LM) and SIEM are very different technologies. LM products are centralized repositories for logs generated throughout the enterprise. LM will parse and normalize data for long-term storage. Some LM products include basic reporting, searching and analysis tools.
SIM products offer the same basic functionality as an LM product, but offer deeper analytical and alerting capabilities, often correlating data across multiple data sources to identify potential security events.
Log Management Features
Some of the common functions of a log management system:
- Event/log storage & archiving – A good LM will provide a common platform for gathering, normalizing, and archiving logs and event data.
- Event aggregation and filtering – Some LM products can perform some basic event filtering and aggregation capabilities. .
- Reporting – Most LM products have rudimentary reporting capabilities.
- Incident response – LM products can be helpful when tracking down incidents, as all the event log data is in one place.
- Searching & analysis – Most LM products have some basic search and analytical tools.
Let’s Talk for additional information or assistance.