Security information and event management


Security information and event management is a subsection within the field of computer security, where software products and services combine security information management and security event management. They provide real-time analysis of security alerts generated by applications and network hardware.
Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes.
The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

Overview

The acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:
In practice many products in this area will have a mix of these functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. Oftentimes commercial vendors provide different combinations of these functionalities which tend to improve SIEM overall. Log management alone doesn’t provide real-time insights on network security, SEM on its own won't provide complete data for deep threat analysis. When SEM and log management are combined, more information is available for SIEM to monitor.
A key focus is to monitor and help manage user and service privileges, directory services and other system-configuration changes; as well as providing log auditing and review and incident response.
As with many meanings and definitions of capabilities, evolving requirements continually shape derivatives of SIEM product-categories. The need for voice-centric visibility or vSIEM provides a recent example of this evolution.
SIEM vendors include: Arcsight, , IBM, LogRhythm, Splunk and others.

Capabilities/components

Computer security researcher Chris Kubecka identified the following SIEM use cases, presented at the hacking conference 28C3.
Some examples of customized rules to alert on event conditions involve user authentication rules, attacks detected and infections detected.
RuleGoalTriggerEvent Sources
Repeat Attack-Login SourceEarly warning for brute force attacks, password guessing, and misconfigured applications.Alert on 3 or more failed logins in 1 minute from a single host.Active Directory, Syslog, RADIUS, TACACS, Monitored Applications.
Repeat Attack-FirewallEarly warning for scans, worm propagation, etc.Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute.Firewalls, Routers and Switches.
Repeat Attack-Network Intrusion Prevention SystemEarly warning for scans, worm propagation, etc.Alert on 7 or more IDS Alerts from a single IP Address in one minuteNetwork Intrusion Detection and Prevention Devices
Repeat Attack-Host Intrusion Prevention SystemFind hosts that may be infected or compromised
Alert on 3 or more events from a single IP Address in 10 minutesHost Intrusion Prevention System Alerts
Virus Detection/RemovalAlert when a virus, spyware or other malware is detected on a hostAlert when a single host sees an identifiable piece of malwareAnti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
Virus or Spyware Detected but Failed to CleanAlert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removedAlert when a single host fails to auto-clean malware within 1 hour of detectionFirewall, NIPS, Anti-Virus, HIPS, Failed Login Events