Security Information and Event Management (SIEM) is a term coined by Gartner in 2005 to describe technology used to monitor and help manage user and service privileges, directory services and other system configuration changes; as well as providing log auditing and review and incident response.
The core capabilities of SIEM technology are the broad scope of event collection and the ability to correlate and analyze events across disparate information sources. Simply put, SIEM technology collects log and security data from computers, network devices and applications on the network to enable alerting, archiving and reporting.
Once log and security data has been received, you can:
- Discover external and internal threats
Logs from firewalls and IDS/IPS sensors are useful to uncover external threats; logs from e-mail servers, proxy servers can help detect phishing attacks; logs from badge and thumbprint scanners are used to detect physical access
- Monitor the activities of privileged users
Computers, network devices and application logs are used to develop a trail of activity across the network by any user but especially users with high privileges
- Monitor server and database resource access
Most enterprises have critical data repositories in files/folder /databases and these are attractive targets for attackers. By monitoring all server and db resource access, security is improved.
- Monitor, correlate and analyze user activity across multiple systems and applications
With all logs and security data in one place, an especially useful benefit is the ability to correlate user activity across the network.
- Provide compliance reporting
Often the source of funding for SIEM, when properly setup, auditor on-site time can be reduced by up to 90%; more importantly, compliance is to the spirit of the law rather than merely a check-the-box exercise
- Provide analytics and workflow to support incident response
Answer Who, What, When, Where questions. Such questions are the heart of forensic activities and critical to draw valuable lessons.
SIEM technology is routinely cited as a basic best practice by every regulatory standard and its absence has been regularly shown as a glaring weakness in every data breach post mortem.
Want the benefit but not the hassle? Consider SIEM Simplified, our service where we do the disciplined blocking and tackling which forms the core of any security or compliance regime.