Security event management

Last updated

Security event management (SEM), and the related SIM and SIEM, are computer security disciplines that use data inspection tools to centralize the storage and interpretation of logs or events generated by other software running on a network. [1] [2] [3]

Contents

Overview

The acronyms SEM, SIM, and SIEM have sometimes been used interchangeably, [3] :3 [4] but generally refer to the different primary focus of products:

Event logs

Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols, such as syslog and SNMP, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated. The better SEMs provide a flexible array of supported communication protocols to allow for the broadest range of event collection.

It is beneficial to send all events to a centralized SEM system for the following reasons:

Security analysis

Although centralised logging has existed for long time, SEMs are a relatively new idea, pioneered in 1999 by a small company called E-Security, [8] and are still evolving rapidly. The key feature of a Security Event Management tool is the ability to analyse the collected logs to highlight events or behaviors of interest, for example an Administrator or Super User logon, outside of normal business hours. This may include attaching contextual information, such as host information (value, owner, location, etc.), identity information (user info related to accounts referenced in the event like first/last name, workforce ID, manager's name, etc.), and so forth. This contextual information can be leveraged to provide better correlation and reporting capabilities and is often referred to as Meta-data. Products may also integrate with external remediation, ticketing, and workflow tools to assist with the process of incident resolution. The better SEMs will provide a flexible, extensible set of integration capabilities to ensure that the SEM will work with most customer environments.

Regulatory requirements

SEMs are often sold to help satisfy U.S. regulatory requirements such as those of Sarbanes–Oxley, PCI-DSS, GLBA.[ citation needed ]

Standardization

One of the major problems in the SEM space is the difficulty in consistently analyzing event data. Every vendor, and indeed in many cases different products by one vendor, uses a different proprietary event data format and delivery method. Even in cases where a "standard" is used for some part of the chain, like Syslog, the standards don't typically contain enough guidance to assist developers in how to generate events, administrators in how to gather them correctly and reliably, and consumers to analyze them effectively.

As an attempt to combat this problem, a couple of parallel standardization efforts are underway. First, The Open Group is updating their circa 1997 XDAS standard, which never made it past draft status. This new effort, dubbed XDAS v2, will attempt to formalize an event format including which data should be included in events and how it should be expressed.[ citation needed ] The XDAS v2 standard will not include event delivery standards but other standards in development by the Distributed Management Task Force may provide a wrapper.

In addition, MITRE developed efforts to unify event reporting with the Common Event Expression (CEE) which was somewhat broader in scope as it attempted to define an event structure as well as delivery methods. The project, however, ran out of funding in 2014.

See also

Related Research Articles

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.

Enterprise content management (ECM) extends the concept of content management by adding a timeline for each content item and, possibly, enforcing processes for its creation, approval, and distribution. Systems using ECM generally provide a secure repository for managed items, analog or digital. They also include one methods for importing content to manage new items, and several presentation methods to make items available for use. Although ECM content may be protected by digital rights management (DRM), it is not required. ECM is distinguished from general content management by its cognizance of the processes and procedures of the enterprise for which it is created.

Enterprise software, also known as enterprise application software (EAS), is computer software used to satisfy the needs of an organization rather than its individual users. Enterprise software is an integral part of a computer-based information system, handling a number of business operations, for example to enhance business and management reporting tasks, or support production operations and back office functions. Enterprise systems must process information at a relatively high speed.

Systems management refers to enterprise-wide administration of distributed systems including computer systems. Systems management is strongly influenced by network management initiatives in telecommunications. The application performance management (APM) technologies are now a subset of Systems management. Maximum productivity can be achieved more efficiently through event correlation, system automation and predictive analysis which is now all part of APM.

In computer log management and intelligence, log analysis is an art and science seeking to make sense of computer-generated records. The process of creating such records is called data logging.

<span class="mw-page-title-main">OSSIM</span> Security information and event management system

OSSIM (Open Source Security Information Management) is an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

Security information management (SIM) is an information security industry term for the collection of data such as log files into a central repository for trend analysis.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments.

In computing, logging is the act of keeping a log of events that occur in a computer system, such as problems, errors or just information on current operations. These events may occur in the operating system or in other software. A message or log entry is recorded for each such event. These log messages can then be used to monitor and understand the operation of the system, to debug problems, or during an audit. Logging is particularly important in multi-user software, to have a central overview of the operation of the system.

Prelude SIEM is a Security information and event management (SIEM).

Security level management (SLM) comprises a quality assurance system for information system security.

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

<span class="mw-page-title-main">TriGeo Network Security</span>

TriGeo Network Security is a United States–based provider of security information and event management (SIEM) technology. The company helps mid market organizations proactively, protects networks and data from internal and external threats, with a SIEM appliance that provides real-time log management and automated network defense - from the perimeter to the endpoint.

LogLogic is a technology company that specializes in Security Management, Compliance Reporting, and IT Operations products. LogLogic developed the first appliance-based log management platform. LogLogic's Log Management platform collects and correlates user activity and event data. LogLogic's products are used by many of the world's largest enterprises to rapidly identify and alert on compliance violations, policy breaches, cyber attacks, and insider threats.

The Log Management Knowledge Base is a free database of detailed descriptions on over 20,000 event logs generated by Windows systems, syslog devices and applications. Provided as a free service to the IT community by Prism Microsystems, the aim of the Knowledge Base is to help IT personnel make sense of the large amounts of cryptic and arcane log data generated by network systems and IT infrastructures.

<span class="mw-page-title-main">Sensage</span>

Sensage Inc. is a privately held data warehouse software provider headquartered in Redwood City, California. Sensage serves enterprises who use the software to capture and store event data so that it can be consolidated, searched and analyzed to generate reports that detect fraud, analyze performance trends, and comply with government regulations.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

In the field of information security, user activity monitoring (UAM) or user activity analysis (UAA) is the monitoring and recording of user actions. UAM captures user actions, including the use of applications, windows opened, system commands executed, checkboxes clicked, text entered/edited, URLs visited and nearly every other on-screen event to protect data by ensuring that employees and contractors are staying within their assigned tasks, and posing no risk to the organization.

<span class="mw-page-title-main">Octopussy (software)</span> Log analysis software

Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server. Therefore, software like Octopussy plays an important role in maintaining an information security management system within ISO/IEC 27001-compliant environments.

References

  1. "Security Event Management". Archived from the original on 2014-10-19. Retrieved 2013-07-17. SIEM
  2. "Preparing for Security Event Management" (PDF). 360 Information Security Ltd. Archived from the original (PDF) on Jun 22, 2023.
  3. 1 2 Swift, David (26 December 2006). "A Practical Application of SIM/SEM/SIEM, Automating Threat Identification" (PDF). SANS Institute. Retrieved 14 June 2024.
  4. Kelley, Diana (March 2004). "Report: Security Management Convergence via SIM (Security Information Management)—A Requirements Perspective". Journal of Network and Systems Management. 12 (1): 137–144. doi:10.1023/B:JONS.0000015702.05980.d2. ISSN   1064-7570. S2CID   1204926.
  5. Guide to Computer Security Log Management. Archived 2006-10-02 at the Wayback Machine
  6. "SIEM: A Market Snapshot". Dr.Dobb's Journal. 5 February 2007.
  7. The Future of SIEM - The market will begin to diverge
  8. "Novell buys e-Security", 2006, ZDNet