Security Incident and Event Management (SIEM)

Background

Many organizations are struggling with three major problems that they cannot completely, or even partially fulfill:

• Demonstrating compliance to regulatory requirements.
• Ensuring appropriate protection of intellectual capital and privacy information.
• Managing security operations securely and effectively.

An SIEM system can collect data from log files and alerts from a variety of infrastructure components, such as firewalls, routers, anti-virus systems, servers, and many others. It can inform IT teams about unusual behavior on these systems, and then these teams can decide whether and what kind of further investigation to take

SIEM

Architecture

Security Information Management (SIM)

The SIM component provides reporting and analysis of data primarily from host systems and applications and secondarily from security devices to support regulatory compliance initiatives, internal threat management, and security policy compliance management. It can be used to support the activities of the IT security, internal audit, and compliance organizations.

Security Event Management (SEM)

The SEM component improves security incident response capabilities. It processes near real time data from security devices, network devices, and systems to provide near real time event management for security operations. It helps IT security operations personnel be more effective in responding to external and internal threats.
An SIEM solution must provide log data capturing capabilities. Aggregated information must be securely stored. Also, archived data faces the requirement of having to reside in a database format that allows for accurate and expedient reporting and viewing capabilities.

The SIEM realm is defined as the interaction between the offering of, and need for a software product customization that can:

• Collect and archive log data in a reliable manner for regulatory compliance.
• Analyze and report on archived log data for regulatory compliance.
• Analyze event information in real time for threat management.

The Figure below depicts a typical SIEM architecture.

The SIEM solution has two parts i.e SIM and SEM. The SIM part of the requirement can be completely covered by the IBM Tivoli Security Information and Event Manager. The SEM part is covered by IBM Tivoli Security Operations Manager, and IBM Tivoli Security Compliance Manager.

SIEM Solution

intiGrow’s solution to delivering SIEM capability includes a suite of IBM Tivoli security product customizations:

• IBM Tivoli Security Operations Manager
• IBM Tivoli Security Compliance Manager
• IBM Tivoli Security Information and Event Manager

IBM Tivoli Security Operations Manager

Network and IT resource availability is absolutely critical to business and service assurance. Organizations, federal agencies, and service providers can lose millions of dollars per year as a result of worms, trojans, and other types of malware that bring down corporate resources and organization facing services. The Tivoli Security Operations Manager is an SIEM platform that is designed to improve the effectiveness, efficiency, and visibility of security operations and information risk management.
Tivoli Security Operations Manager can enable the enterprise to automate the following tasks:

• Log aggregation, correlation, and analysis
• Recognition, investigation, and response to incidents
• Incident tracking and handling
• Monitoring and enforcement of policy
• Comprehensive reporting for compliance efforts

IBM Tivoli Security Compliance Manager

Tivoli Security Compliance Manager is a centralized repository for archiving native audit trails to observe and to report on security compliance policies. Tivoli Security Compliance Manager deploys predefined policies onto managed systems and provides a central repository for automated reporting purposes and data mining.
The architecture of the Tivoli Security Compliance Manager is based on a client/server model. The Tivoli Security Compliance Manager client acts as an agent that collects data from the client subsystem on a predefined schedule or on request of the Tivoli Security Compliance Manager server. After the client collects the data, it is sent to the server.

IBM Tivoli Security Information and Event Manager

A Security Information Manager solution requires log management and audit functionality and must generate reports on collected log data that refers to security policies to identify policy violations.
In addition, the solution must offer real-time incident management, which can require using correlation rules to identify more details about the incident. Ideally, the solution must offer real-time mitigation for and alerting of incidents, but strictly speaking, this type of real-time functionality is typically addressed in an Security Event Manager realm.
A combination of the Tivoli Security Information and Event Manager and Tivoli Security Operations Manager product customizations can meet all requirements in which Tivoli Security Operations Manager adds real-time incident management to the Tivoli Security Information and Event Manager solution. In addition, the Tivoli Security Information and Event Manager solution offers other capabilities that are often key decision factors for organizations that are looking for these types of technologies. Among these additional factors are:

• A rapid and scalable deployment and support process
• Reliable and secure log collection and archiving
• Capability to collect and archive any type of log data
• Integration with identity and access management solutions
• Built-in best practice reporting and analysis of log data
• Pre-defined audit and regulatory compliance reports cover the following standards and regulations:
  › SOX
  › FISMA
  › HIPAA
  › PCI DSS
  › BASEL II
  › GLBA
  › ISO 17991
  › ISO 27001
  › COBIT
  › NERC

• Capability to normalize any type of log data for audit and regulatory compliancy processing
• IBM Mainframe integration
• High performance syslog and SNMP collector
• Real time event correlation and incident response functionality