SIEM (Security information and event management) refers to a class of software products that collect and analyze information about security events.
SIEM is essentially a combination of SEM (Security event management) and SIM (Security information management). SEM solutions monitor security events in real time, whereas SIM systems handle the long-term storage and analysis of data received from various objects in the corporate infrastructure. SIEM solutions perform both of those tasks.
SIEM systems functionality
SIEM systems perform the following tasks:
- Monitor alarm signals from network devices and apps in real time;
- Analyze data for patterns and linkages;
- Identify deviations from normal system behavior;
- Notify the operator of detected incidents.
In the classical meaning of the term, SIEM systems only collect and process data, alerting the operator of potential danger. Blocking suspicious processes, quarantining files, and other response measures are not perceived as their tasks. However, lately the term SIEM has come to refer to both data collection and processing systems, as well as systems that integrate data collection with response capabilities.
SIEM application
SIEM solutions enable infosec experts to detect cyberattacks and violations of security policies at an early stage and minimize damage. Additionally, they can be used to evaluate the level of protection of information systems and relevant threats to the company. Data obtained from SIEM systems is also used in incident investigation and reporting.
SIEM data collection
SIEM solutions can collect data about security events in four ways: through special apps (the most common method), directly from log files, directly from network devices or through streaming protocols such as SNMP, Netflow, and IPFIX.
Information sources for SIEM solutions include:
- Antivirus software,
- Authorization and authentication systems,
- Firewalls and gateways,
- Network equipment, server, and workstation logs,
- Domain controllers,
- Intrusion detection and prevention systems (IDS/IPS),
- Data loss prevention (DLP) systems,
- Asset and inventory control solutions.