Security Information and Event Management (SIEM) is a system that collects information for further analysis and classification by a system administrator or an information security specialist.
Initially, SIEM consisted of two areas: Security Information Management, which is responsible for information security, and Security Event Management, which controls security events. In 2005, concepts were combined, and Security Information and Event Management appeared.
The data for SIEM comes from different sources. These include:
- event logs that are logged by the operating system or a third-party application
- network equipment (routers, proxy servers, gateways, etc.)
- firewalls
- vulnerability scanners are special software that finds vulnerabilities inside the infrastructure
- CRM systems
- user workstations
- antivirus software
- other resources that register events and are able to transmit them through agents or built-in tools
Information security audit
The principle of operation
SIEM is used to monitor and analyze incoming information, but it does not protect the infrastructure from external and internal threats. The collected analytics are used to identify incidents and optimize the company’s security.
The criteria by which the state of the infrastructure is assessed are set. The equipment that will be monitored by SIEM is prescribed. If an event occurs that goes beyond the configured templates, then SIEM reacts to the change and logs the incident.
It is recommended that you first deploy the system on a small number of devices for testing. Administrators check its performance, edit the rules, and then run it in working mode.
An additional feature of the system: based on the data obtained, the actions of intruders are analyzed. In other words, recording incidents helps to investigate such events.
The built-in notification function informs administrators about violations or problems by email, SMS and messengers.
The software is a flexible tool that is configured according to the requirements and desires of the user.
Components of SIEM
The software solution is conditionally divided into two components. The first category includes monitoring agents. They are installed on the elements of the information system from which readings are taken. The second element is the server part. It processes incoming information from agents, registers events and incidents based on the set rules. Templates for information processing and incident logging are set by information security specialists during configuration
SIEM systems
Further analysis of the reported incidents also falls on the Information Security Department. They use built-in tools to create reports, react to events, trying to prevent the recurrence of incidents in the future.
Intermediate elements such as collectors and correlators are also integrated. The first ones are installed as regular storages. They filter the data by filtering out duplicates and empty records. The latter isolate the necessary data among a variety of events. Given that information is presented in different formats and of various kinds, the SIEM system collects it and brings it to a single view.
Famous SIEM:
- Splunk Enterprise Security
- HPE ArcSight
- McAfee NitroSecurity
- Qradar
- Tibco Loglogic
- MaxPatrol
- AlienVault Usm
- KOMRAD from NGO Echelon