Security Information and Event Management, abbreviated as SIEM, AKA Situational Awareness, helps you to gather, from many divergent information system components, security data. SIEM turns that data into information, and Situational Awareness puts the information in context. The volume of security log data is growing with more components and service systems connected to your organization's infrastructure. Having all this managed in a centralized platform helps you better analyze the data, gain timely insights into events, respond effectively, and respond to auditors' requests.
Many organizations are struggling with three major problems that they cannot completely or even partially fulfill:
- Demonstrate compliance to regulatory requirements
- Ensure appropriate protection of intellectual capital and private information
- Effectively manage security operations
SIEM collects data and alerts from a variety of infrastructure components, such as firewalls, routers, anti-virus systems, servers, databases, applications, identity management systems, mobile devices, and access management. It can inform IT teams, fraud detection groups, and compliance managers about unusual behavior on these systems. With the information presented in context, these teams can decide whether and what kind of action to take.
SIEM architecture can be broken down into two elements:
Security Information Management (SIM)
The SIM component provides reporting and analysis of data primarily from host systems and applications and secondarily from security devices to support regulatory compliance initiatives, internal threat management, and security policy compliance management. It can be used to support the activities of the IT security, internal audit, and compliance organizations.
Security Event Management (SEM)
The SEM component improves security incident response capabilities. It processes near real time data from security devices, network devices, and systems to provide near real time event management for security operations. It helps IT security operations personnel be more effective in responding to external and internal threats. SEM aids greatly in addressing Advanced Persistent Threats by linking seemingly unrelated events which occur over extended time periods.
A SIEM platform must provide log data capturing capabilities. Aggregated information must be securely stored. Also, archived data faces the requirement of having to reside in a database format that allows for accurate and expedient reporting and viewing capabilities.
The minimum SIEM functions are:
- Collect and archive log data
- Compare data with compliance requirements and report
- Analyze event information in real time and over time for threat management