Regulatory requirements
 | This section needs expansion. You can help by adding to it. (May 2018) |
SEMs are often sold to help satisfy U.S. regulatory requirements such as those of Sarbanes–Oxley, PCI-DSS, GLBA.[ citation needed ]
Security event management (SEM), and the related SIM and SIEM, are computer security disciplines that use data inspection tools to centralize the storage and interpretation of logs or events generated by other software running on a network. [1] [2] [3]
The acronyms SEM, SIM and SIEM have sometimes been used interchangeably, [4] [5] but generally refer to the different primary focus of products:
Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols, such as syslog and SNMP, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated. The better SEMs provide a flexible array of supported communication protocols to allow for the broadest range of event collection.
It is beneficial to send all events to a centralized SEM system for the following reasons:
Although centralised logging has existed for long time, SEMs are a relatively new idea, pioneered in 1999 by a small company called E-Security, [9] and are still evolving rapidly. The key feature of a Security Event Management tool is the ability to analyse the collected logs to highlight events or behaviors of interest, for example an Administrator or Super User logon, outside of normal business hours. This may include attaching contextual information, such as host information (value, owner, location, etc.), identity information (user info related to accounts referenced in the event like first/last name, workforce ID, manager's name, etc.), and so forth. This contextual information can be leveraged to provide better correlation and reporting capabilities and is often referred to as Meta-data. Products may also integrate with external remediation, ticketing, and workflow tools to assist with the process of incident resolution. The better SEMs will provide a flexible, extensible set of integration capabilities to ensure that the SEM will work with most customer environments.
| | This section needs expansion. You can help by adding to it. (May 2018) |
SEMs are often sold to help satisfy U.S. regulatory requirements such as those of Sarbanes–Oxley, PCI-DSS, GLBA.[ citation needed ]
One of the major problems in the SEM space is the difficulty in consistently analyzing event data. Every vendor, and indeed in many cases different products by one vendor, uses a different proprietary event data format and delivery method. Even in cases where a "standard" is used for some part of the chain, like Syslog, the standards don't typically contain enough guidance to assist developers in how to generate events, administrators in how to gather them correctly and reliably, and consumers to analyze them effectively.
As an attempt to combat this problem, a couple parallel standardization efforts are underway. First, The Open Group is updating their circa 1997 XDAS standard, which never made it past draft status. This new effort, dubbed XDAS v2, will attempt to formalize an event format including which data should be included in events and how it should be expressed.[ citation needed ] The XDAS v2 standard will not include event delivery standards but other standards in development by the Distributed Management Task Force may provide a wrapper.
In addition, MITRE developed efforts to unify event reporting with the Common Event Expression (CEE) which was somewhat broader in scope as it attempted to define an event structure as well as delivery methods. The project, however, ran out of funding in 2014.
In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.
Enterprise content management (ECM) extends the concept of content management by adding a timeline for each content item and, possibly, enforcing processes for its creation, approval and distribution. Systems using ECM generally provide a secure repository for managed items, analog or digital. They also include one methods for importing content to bring manage new items, and several presentation methods to make items available for use. Although ECM content may be protected by digital rights management (DRM), it is not required. ECM is distinguished from general content management by its cognizance of the processes and procedures of the enterprise for which it is created.
Enterprise software, also known as enterprise application software (EAS), is computer software used to satisfy the needs of an organization rather than individual users. Such organizations include businesses, schools, interest-based user groups, clubs, charities, and governments. Enterprise software is an integral part of a (computer-based) information system; a collection of such software is called an enterprise system. These systems handle a chunk of operations in an organization to enhance the business and management reporting tasks. The systems must process the information at a relatively high speed and can be deployed across a variety of networks.
In computer log management and intelligence, log analysis is an art and science seeking to make sense of computer-generated records. The process of creating such records is called data logging.
Security information management (SIM) is an information security industry term for the collection of data such as log files into a central repository for trend analysis.
Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages.
In computing, a log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of communication software. Logging is the act of keeping a log. In the simplest case, messages are written to a single log file.
Prelude SIEM is a Security information and event management (SIEM).
Security level management (SLM) comprises a quality assurance system for electronic information security.
TriGeo Network Security is a United States-based provider of security information and event management (SIEM) technology. The company helps midmarket organizations proactively protect networks and data from internal and external threats, with a SIEM appliance that provides real-time log management and automated network defense - from the perimeter to the endpoint.
Cisco Security Monitoring, Analysis, and Response System (MARS) was a security monitoring tool for network devices. Together with the Cisco Security Manager (CSM) product, MARS made up the two primary components of the Cisco Security Management Suite.
Sensage Inc. is a privately held data warehouse software provider headquartered in Redwood City, California. Sensage serves enterprises who use the software to capture and store event data so that it can be consolidated, searched and analyzed to generate reports that detect fraud, analyze performance trends, and comply with government regulations.
Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.
Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.
An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.
In the field of information security, user activity monitoring (UAM) is the monitoring and recording of user actions. UAM captures user actions, including the use of applications, windows opened, system commands executed, checkboxes clicked, text entered/edited, URLs visited and nearly every other on-screen event to protect data by ensuring that employees and contractors are staying within their assigned tasks, and posing no risk to the organization.
Threat Intelligence Platform is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.
The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.
Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server. Therefore, software like Octopussy plays an important role in maintaining an information security management system within ISO/IEC 27001-compliant environments.
NXLog is a multi-platform log collection and centralization tool that offers log processing features, including log enrichment and log forwarding. In concept NXLog is similar to syslog-ng or Rsyslog but it is not limited to UNIX and syslog only. It supports all major operating systems such as Windows, macOS, IBM AIX, etc, being compatible with many SIEM, log analytics suites and many other platforms. NXLog can handle different log sources and formats, so it can be used to implement a centralized, scalable logging system. NXLog Community Edition is proprietary and can be downloaded free of charge with no license costs or limitations.
{{cite web}}: CS1 maint: archived copy as title (link) SIEM...the acronym SIEM will be used generically to refer...