SIEM (pronounced like “sim” from “simulation”), which stands for Security Information and Event Management, was conceived of as primarily a log aggregation device. However, a SIEM’s primary capabilities are to provide threat detection, better enable incident investigation, and speed up your incident response time, while also giving you a unified, holistic view of your infrastructure. A SIEM is just one piece of the puzzle of securing and monitoring your network and systems – a puzzle that, according to Michael Oberlaender, is a 10-piece stack that, at first, can appear quite daunting.

On a slightly more in-depth level, a SIEM generally provides the following:

  • Event & Log Collection: aggregation of event and log data from sources across your network for easier monitoring.
  • Dashboards: frequently take the form of information charts put together from collected data to make it easier to identify patterns or anomalous activity.
  • Correlation: linking events together on the basis of common attributes to turn the data into meaningful groups that can then be contextualized.
  • Alerting: automated analysis of correlated events that can also provide verification of continuous monitoring, trends, and auditing.
  • Forensic Analysis: the ability to use specific criteria to search across logs on different nodes and/or time periods.
  • Compliance: automating the gathering of compliance data via applications to produce reports adapted to existing security, governance, and/or auditing processes.
  • Retention: storing historical data long-term to ease the correlation of data over time, and enables application of compliance requirements.
  • Normalization: translating computerized jargon into readable data for easier display and mapping to user- or vendor-defined classifications and/or characterizations. Sometimes referred to as field mapping.

A SIEM isn’t just a plug and forget product, though. If all your company does is purchase a SIEM, hook it into the network, and then assume that the SIEM has the (Read more...)