What is the Role of a SIEM in Detecting Events of Interest?

< Previous Question | Back to Intrusion Detection FAQ Home

Algis Kibirkstis
November 2009

Introduction

Security Information and Event Management (SIEM) systems are a hybrid solution coming from two distinct security-related products: Security Information Management (SIM) systems, technologies focused upon policy and standards compliance through the consolidation of logs, the analysis of data and the reporting of findings; and Security Event Management (SEM) systems, which provide technical support in the management of threats, events and security incidents in real time.

The detection of events of interest can be performed through either functional group, with SEM supporting effective real-time monitoring capabilities and SIM providing an efficient means to wade through massive amounts of collected data records.

Real Time Detection Capabilities

SEM capabilities can provide a range of tools and functionalities to facilitate the management of security-related events, by assessing log data and correlating information coming from various sources. By not relying on a single source of information -- such as an IDS/IPS -- to flag potential breaches, the event management function can help reduce the number of false positives by first ensuring that the discovered event has been felt by other systems in the environment. As the system is tuned over time, it becomes more effective at differentiating between full-blown security incidents and other types of events patterns.

Advanced SEM technologies support data visualization capabilities, which can help the security analyst quickly assess events and trends using graphical rendering tools. Threat analysis and event prioritization functions provide much needed assistance to security operations staff, as they can focus their efforts on investigating events that have the highest threat rankings. And with built-in incident handling tools, such as the netForensics integration of the SANS six-step incident handling process, incident managers can use tried-and-true methodologies to resolve such events in a timely and effective manner.

Archive Record Management

SIM functions can be characterized as supporting non-real-time data analysis. Through the centralized collection and standardization of disparate system and application information (such as system logs, audit trails, event logs and transaction records), the security analyst can consult the archive and retrieve information through standardized queries; by storing all the information in one place, information from different systems (such as load balancers, packet filters, IDS/IPS, and servers) can be viewed in a way that reconstructs a timeline of discrete events, as they occurred through the monitored network.

Advanced SIM technologies can assess these types of consolidated records, as they are collected or on-demand, for the purpose of flagging events and anomalous behaviour for future analysis. Forensic analysis is greatly facilitated through log management features, while the centralized logging capabilities help ease the task of managing retention times to comply to applicable laws and standards. And the report generation capabilities can help an organization demonstrate compliance levels during internal assessment periods and certification audit cycles.

SIEM systems can provide a means to detect events of interest in two distinct ways: by providing a real-time assessment of security-relevant information directed to it; and by supporting forensic analysis of log records collected from perimeter and internal nodes of the controlled environment.

Resources:

SIEM: A Market Snapshot

How to Select a SIEM Solution

The Convergence of SIEM and Log Management

Data Visualization Tool for Security

Nitrosecurity Named SC Magazine Industry Innovator For Threat Analysis

netForensics nFX Sim One

< Previous Question | Back to Intrusion Detection FAQ Home