‫ Security Information and Event Management

Date: 7/01/2014
Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications.
At a minimum, SIEM tools enable IT security organizations to:
       Leverage central log management to simplify correlation, alerting, and reporting of security events;
       Streamline compliance, incident response, and risk management processes;
       Baseline threat levels and normal network security activity;
       Increase efficiency and effectiveness of security and system administrators, internal and external auditors, and senior management involved in risk management;
       Pursue a continuous risk management strategy, prioritizing attention to specific vulnerabilities based on observed threats across multiple control systems.
Contrary to past hype and misconceptions, SIEM tools do not:
       Eliminate the need for other IT security systems – rather, SIEM enhances the value of each of those tools;
       Directly prevent compromises – instead, SIEM provides the cross-system visibility to identify areas of elevated risk and focus security efforts (proactive), and reduces the cost and time for incident response (reactive);
       Eliminate the role of security administrators and operations personnel – SIEM maximizes the value of such staff.
SIEM alone cannot eliminate similar breaches, but enhanced visibility reduces the risk to exposure in many ways:
       Identify sophisticated attacks earlier using event data correlated across multiple systems;
       Support more rapid and more thorough forensics during and after initial incident response;
       Enable continuous feedback from observed threats into security and system controls to achieve optimal protection and reduce the risk of future compromises.
Comparing approaches to managing key information security processes, with or without SIEM:
Be prepared for dealing with issues and events that you might have been unaware of without SIEM.Be clear about the impact of SIEM-enhanced security visibility:
  1. Pre-SIEM: Information risks and associated security management costs increase over time as new threats appear.
  2. Immediately Post-SIEM: Increased visibility into extant threats results in increased cost of managing those threats – ignorance can no longer justify inaction.
       Per event/incident costs will decline through earlier detection opportunities and investigation efficiencies provided by the SIEM tool.
       Since those threats always existed, and are now being acted upon, overall risk begins to decline.
       As SIEM-based efficiencies are realized, the cost of managing visible threats returns to baseline levels.
  1. Long-Term Post-SIEM: Both risk and security costs can be driven down further through feedback from SIEM into technical and procedural controls.

Figure 1- SIEM’s Impact on Risk and Cost over Time

Get a sense of how far you intend to go with SIEM to help focus setting your organization’s requirements. Look for the SIEM you need, and no more.
SIEM Approach
Security Management Focus Areas
Log Management
Event Management
Continuous Risk Management
Storage, backup, retention, and archival settings must be configured and managed for each key system.
Compliance reporting and related log review management is done through manual processes.
Incident identification & response processes are hampered by lack of cross-system visibility.
Prioritization of security attention across systems is nearly impossible, and may not account for cross-system risks.
Basic SIEM
(Compliance or Event Focus)
Central log management optimizes the time and cost of managing key system logs, enabling greater opportunities for using such data.
Compliance management processes can be streamlined with pre-defined, scheduled, cross-system reporting.
Visibility into incidents is increased through event correlation; incident response is enhanced by alerting and forensic investigation functionality.
A morerealistic view of risk emerges from increased efficiency in compliance or event management processes, enabling better prioritization.
Advanced SIEM
(Compliance and Event Focus)
Integrated information from compliance and event management processes provides the most complete view of overall system risks.


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0